THE M AGA ZINE3
Security system management is just the tip of the iceberg. 1
PUBLISHER Cronos Security Prins Boudewijnlaan 41 2650 Edegem +32 (0)3 4506789 info@cronossecurity.be
CHIEF EDITOR Cronos Group nv Veldkant 35a 2550 Kontich
EDITORS Lieven Van de Walle Maarten Wouters Roger Sels Stefan De Hondt Stijn Jans Ulrich Seldeslachts
PARTNERS Cisco Citrix intigriti Omada Shiftz
LAY-OUT Noticed hallo@noticed.be
2
ts
n e t n o c f o Table
4
22
6
24
10
26
12
28
16
30
18
32
Editorial
About curity Cronos Se
rol over t n o c n i a G ty risk i r u c e s r u yo
r Data u o y t e G R GDP Right Protection
Nynox: service a s a y t i r u Sec
ecurity s a g n i d l i Bu r layers u o : e r u t c archite ion of protect
l The Digita e Workspac
Security service e c n e g i l l e Int
Annual 7 1 0 2 o c s i C eport r y t i r u c e Cybers
thical intigriti: E lgium e B n i g n i Hack
y
entit Omada id suite
lution Omada so overview 3
Editorial
Information Security Finally Back to Business Leadership ULRICH SELDESLACHTS Information Security is gaining in maturity. ICT Security and Cyber Security professionals are getting attention. Organizations and their corporate governance structures have actually started to listen to their experts. This positive evolution does present some challenges to both ICT Security Professionals, the entire organization and its customers and suppliers. Regulations, business disruption, physical security risks, industrial espionage or brand defacement are just a couple of the most obvious business impacts resulting from information security incidents, which will require Executive Team and Board of Directors’ attention. This is a positive evolution because it finally provides some space to discuss ICT security incidents and potential risks and how they can be prevented. Privacy and data protection are being considered more frequently. Continuity, resilience and improved overall security are taken into account in view of their added value to customers and partners. This positive evolution allows for a more strategic positioning of information security and expects sufficient visibility and communication efforts. Continuous awareness creation efforts and engaging the entire executive team in serious gaming and incident simulations are part of today’s state of the art security practices.
4
This well-deserved attention has to be engaged and directed towards policy making efforts and converting our security risks into measurable and comprehensible performance indicators. Maturity has to persevere towards innovation, responsibility, people and resources. The attention-span requires from information security to actively participate in the organization, thriving towards improved services and products, considering interesting business partners and customers. Cyber Security interest needs to be put to action in the digital transformation challenges organizations cope with today. That doesn’t only imply asking the right questions, but presenting the right answers and solutions at the right time, to identify potential risks and challenges, taking responsibility to start working on those risks in order to be able to manage, measure, analyze and predict where possible. Information Security should guide the organization to ensure suitable security measures and practices. Increased IoT, frequent cloud, more complex and targeted attacks are indicative for the future. Even skilled workforces should be provided mitigation measures based upon automation, information and intelligence and reliable partners allowing us to discuss incidents and impact analysis. Organizations require a skilled and drilled incident management team ready to support 24/7, to ensure the least possible disruption. For all of this, the organization requires leadership. Leadership with authority.
Security is not core business for most organizations. But equally for companies having security as their primary activity, ICT security and Cyber Security are a constant challenge for the organization to deal with. Best practices from those companies who have been showing advances in the state of the art and succesfully mastering challenges and incidents have learned us five critical success factors : 1) Internal partners : in organizations performing excellent in information security, CISO’s have been able to create a network of internal reliable relations, which can be activated in due course. They empowered the organization on facts, with business leaders managing their own risks, with the information security activities being part of these departments, but working as a business unit. The team is composed out of technically qualified and business oriented
“Security is not core business for most organizations.” qualified staff. Information Security value is being communicated and driven towards success. 2) Change management role : with over 75% of companies performing excellent in information security, stakeholders from all levels will be proactively and systematically involved. Reversely, information security staff will be involved in key processes and strategic discussions within the organization. 3) Information Security teams should not stand down until they can join the business and development teams around the table, but neither should they force themselves into participating. The value of information security and cyber security will need to be repeatedly integrated into the overall business value.
This will be especially the case for product and service development, where the impact of the GDPR (General Data Protection Regulation) and the need to properly secure the personal identifiable information of customers and partners. Personal data transactions have to be made transparent, consent-based and accurate. With more than half of the organizations with a wellperforming information security operation, the executive teams have been involved in one or multiple cyber threat and simulation exercises. 4) A cyber frame, not just a team : the right people, and the right balance makes the difference in organizations performing very well in information security challenges, in over 80% of the organizations. The frame is supported by technical expertise such as security configuration, command and control, software security, access control, awareness and training, analysis and detection, prevention, incident management and recovery. All of these domains will define the C-IQ, the CISO Impact Quotient. The higher the information security score, the greater its impact within the organization. 5) Sufficient impact requires five to seven years : organization scoring well in information security have been developing various technical skills throughout the organization throughout the years, on the basis of the right competence mix. Organizations scoring best in impact are those who have mastered the optimal combination of the right technical expertise with sufficient business qualities. Ever since McKinsey & Co (www.mckinsey.com) started publishing regularly on cybersecurity (August 2015) and putting it on the agenda of the executive leadership team, the topic has gained interest and maturity amongst business. For information security professionals, this attention span is a window of opportunity to optimize and gain a more effecient and effective information security management on the basis of other succesful characteristics such as sufficient internal partners and avoiding to be trapped on an ICT-Security island, taking the role of a proactive change agent, with a wellbalanced technical and business-driven team taking the time to facilitate change. Next time you’re in the elevator with one of your Directors or Board Members, you know what to talk about.
5
Cronos Security
About us 1. THE IMPORTANCE OF END-TO-END SECURITY
2. OUR APPROACH
Considering and providing real end-to-end security is what we do at Cronos Security. The underlying figure is a graphical representation of the information security challenges and threats that organizations face within today’s society. Generally, the recognized objective of information security is to maintain the availability, integrity and confidentiality of organizational information, while coping with the aforementioned threats.
The Cronos end-to-end Security approach starts by defining a policy driven enterprise program which places security and risk management in a larger context. Our in-depth security vision focuses upon governance, architecture, design, implementation and operations of the security activities. This broad approach is the only way to define the actual risks your organization is facing. The Cronos Security offering includes internationally recognized best practices within all the aforementioned security domains. Depending on the needs of your organization, our multidisciplinary team will take on the entire security program from risk analysis and governance to architecture, design and operations or one of our specialists’ solves a specific information security problem.
3. OUR PROFESSIONALS The success of ensuring information security objectives are achieved is influenced by both internal and external factors. The outer ring of the chart shows the four major drivers of changes in the security landscape. In order to manage the organizational risks — whether they are triggered by new business opportunities, business requirements, new laws and regulations or external threats — it remains important to take a proactive approach. Cronos Security can assist your organization with our security approach.
6
>> Cronos Security is a multidisciplinary team of security professionals with a broad spectrum of expertise. >> Our profiles range from experienced coaches and GRC auditors, over very technically oriented engineers and consultants, till those who support and operate the different environments and products. >> Training or education sessions are organized and give on a regular basis. This can be done for general available or custom made topics, But also for publicly organized events.
4. OUR NEXT GENERATION SECURITY ARCHITECTURE ONION For us, security is built-up via different layers, each with an own focus and a different approach.
When building the security architecture tailored to your specific needs, your IT infrastructure will always be the center of it. This must be protected by the well know ‘infrastructure security’ approach, consisting of physical security (badges, guest registration tools or video surveillance are some examples of this), Network control and protection (NAC solutions, network segregation, Guest network), Server and Host protection (not limited to Antivirus and antimalware protection, security on virtualization solutions or privileged access control policies), and Gateway checks (Firewalls, antispam, DLP, URL control are most likely the most known technologies for this section). Having the right technology in place to protect your central IT environment is the first step, but you will need to make sure you do the required follow-up and are able to map the events to the right identities and technologies. To achieve this you will need to have an Identity and Access Management solution, linked to a Security Information and Event Management tool in place. The persons operating the Security Operation Center will make sure all the generated events are correctly interpreted and when needed
7
reacted on. When necessarily they will hand over the actions to the Security Response Center who will intervene and technically act on the ongoing threats. For Cronos Security those two inner layers are ‘the core’ of the security solution and must always be present. Additionally to this, you can implement techniques and point-solutions that will provide you with some more flexibility, usability or performance. Off course, there are also specific solutions that will bring the security level to an even higher level. The two layers on the outside of the onion don’t have a focus on products or solutions, but are more focused on the processes and procedures you will need to have in place to setup, control and operate the security environment. They will outline the environment you are able to move within and describe the actions you are able to take.
5.2 Risk management Security professionals often state there is no such thing as perfect security. They reason that security measures are implemented by men and therefore men can circumvent these measures. This line of reasoning is correct but it is not the core issue. Risk management is the core of a security framework, it is about identifying risks and control measures and determining a risk management strategy. We recommend and use the ISO27005 framework to implement risk management. This framework ensures an in-depth analysis and follow-up of company risks. Continuous evaluation ensures that risks are regularly re-analyzed and approved. This is important as risk levels might vary in time based upon the threat postures of the company, newly implemented technologies, …
5. OUR SERVICES We have expertise within the following security domains: 5.1 GRC assessments The Governance, Risk and Compliance (GRC) assessment services are key for companies to determine their security maturity. Based on the framework to be assessed key people within the organization are interviewed and information and documents are reviewed. The outcome is a description of the organization’s level of maturity against the framework. The result includes the security organization, security controls, document framework, risk management processes and any other domains related to the framework to be tested against. Regulation forced organizations to become compliant to increasing demands of Information Security and Data Privacy. We have expertise in assessing, auditing, documenting, planning, improving and training the domains as represented in ISO9001, ISO27001/2, ISO22301, SANS Cyber Controls, NIST (Cyber security), General Data Protection Regulation (GDPR), Cloud security Alliance (CSA), CObIT. The GRC assessment is an ideal starting point for a continuous improvement track. To support that cycle we provide Information Security Experts or Data Protection Officers as a service.
8
High level overview of the ISO27005
5.3 Technical assessments
5.5 Implementation
Although a typical IT environment changes frequently - whether it is software, hardware, or network related - your organization always needs to stay on edge with the competition.
Every day we earn the trust of our customers through participating into lots of trainings, getting relevant certifications and delivering successful projects in a broad spectrum of industries and sectors.
These changes not only enhance your efficiency, but also impose an inherent risk. What if your engineers didn’t know the full implications of configuring specific settings on a server? What are best practices from a security point of view when implementing a new component in code? Certified consultants from Cronos Security evaluate concrete risks though technical assessments. These can vary from evaluating your overall security posture to giving an in-depth view on a specific system. Our services include (but are definitely not limited to):
5.6 Operations
>> Vulnerability assessments >> Penetration testing >> Physical intrusion testing (including: social engineering, lock picking ...) >> Product security testing >> Security hardening 5.4 Architecture and design Translating your business requirements to solid secure technical solutions: Our architecture services typically include evaluations of the current as-is and the desired to-be infrastructure. These assessments take into account the technical and business risks of your organization and hereby utilize your current investments in infrastructure, licenses. These tests are ideal to understand your current architectural security status. We can realize up-to-date designs that meet your needs and match to your environment thanks to the broad security-product knowledge of our team, combined with the large number of partnerships we have with hard- and software vendors. Our vendor-independent approach guaranties our ability to evaluate every request on an individual basis. Therefore we are able to conclude whatever fits technical best the specific situation.
Bruce Schneier once quoted Security is a process, not a product. At Cronos Security we couldn’t agree more with this statement. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. But the processes alone are still not enough! You also need someone who operates them. You need someone who is able of keeping the environment up-to-date, is able to act upon events triggered by various systems. But most of all you need someone who is capable to do all of this with the right technical competences. At Cronos Security we offer different flavors of operational support, reaching from on-call expertise over co- or outsourced services till XaaS operational services. 5.7 Awareness and training Everybody needs to understand that they are an active part of the level of security. Technical solutions only you can extend or improve that, but you will never reach the intended goal. To achieve this, you will need to be sure that everybody is actively participating into security. Awareness campaigns are always tailored to the desired level and expectations of the customer. They can range from one-time classical sessions till complete custom branded campaigns running over multiple quarters. On-premise, online, one-time-shot, recurring and many more are possible. 5.8 Insurance It is impossible to fully secure an organization, therefore risks can only be limited and controlled to a certain extent. Cronos Security also provides the possibility to opt for an information security insurance. This insurance protects you against potential financial consequences of your residual risks.
9
GAIN CONTROL OVER YOUR SECURITY RISK As a customer of Cronos Security, you can count on a team of security professionals with a broad spectrum of expertise and the mission to make your (IT) world a safer place. But if you’re not instantly convinced by our promise of end-to-end solutions tailored to your business needs, we can offer you the following call-to-actions:
We will use a Cronos Information Security Framework that is based on the ISO 27001 standard to identify possible risk areas in view of your business environment. Based on a set of interviews and review of documents we will provide you with an information security audit report and practical governance guidelines.
WHAT’S LIVING ON YOUR NETWORK?
TEST IT, OR SOMEONE ELSE WILL
These days everybody is familiar with Next Generation Firewalls. But what about next generation intrusion prevention systems (NG IPS)? NG IPS sets a new standard for advanced threat protection, integrating real-time contextual awareness, fullstack visibility and intelligent security automation. In short, NG IPS notifies of suspicious network traffic and takes action (by blocking threats, applying application control, URL filtering and applying malware protection). Now. Seeing is believing. On our website you can take a look at three sample risk reports covering Advanced Malware risk, Network risk and Attack risk. Notice the details that it unveils and the possible countermeasures we can take. Allow us to put in place a demo appliance - free of charge (value 2.850,00 EUR) - in listening mode and we will provide you with similar reports based on your environment. According to Forbes, Security expenditure will increase with 46% in 2016. How do you know you’re investing in the right tools and appliances? Are your ICT implementations safeguarded by the business requirements and processes? To make sure that your new tools and appliances are surrounded by the appropriate processes we can provide you with a high-level assessment on your information security environment.
10
How would your people react when they receive a mail asking about their account names or passwords? Did you have the right support during the development lifecycle of your application? Did you ever dare to check how fast a normal user can gain admin access on servers holding sensitive data? Your Active Directory might have had an operational health check, but did it ever get a security check? Who reviewed your network design or infrastructure architecture in the context of its overall security? Is your industrial network vulnerable to a breach? Is your network safe from the outside? Some companies think about security. Few companies focus on security. Fewer companies test their security. Are the keys to your kingdom secure? Invite us over, let’s have a serious chat about your security and let’s test it, before someone else does.
INFOSENTRY: GET ASSURED Do you know where your data is? Have you got a clear view who has access to your data? Do you know what happens with the data? Do you understand your responsibilities to protect data? If your answer is NO to any of these questions: think InfoSentry.
InfoSentry offers services which will help your organization to deal with the General Data Protection Regulation. Our work has been recognized by our customers as best in class. InfoSentry is simply the best choice for your GDPR needs! Knowing your current state of compliance towards the new GDPR legislation is crucial to define your roadmap and be prepared by May 2018. We can provide you this overview and make sure your company can comply. What can InfoSentry offer you? An assessment on the specific controls required by the GDPR. It documents the gap between the AS-IS situation within your organization and the GDPR requirements. The following domains are part of the assessment:
What will you get out of it? A clear view on the GDPR requirements applicable to your organization and the grade of compliance of your organization has and a maturity scaling of the implemented security controls based on ISO27001. You will gain confidence in defining priorities and projects to become compliant with GDPR in your organization. General Time estimation: between 5 and 7 days for a specific GDPR assessment (excluding reporting, review and debrief meeting) for small and medium size organizations, for international organizations timing might be adapted depending the complexity.
>> Transparency of data processing >> Collection and purpose limitation of personal data >> Consent of the data subject >> Quality of the data and data processing activities >> Privacy Program Management >> Information Security for Privacy Purposes >> Data Breach Readiness and Response >> Individual Rights of the data subjects
11
GDPR: Get your Data Protection Right ROGER SELS
12
Each fully booked seminar from Cronos Security proves the growing awareness of the urgency surrounding the new European GDPR regulations (General Data Protection Regulation). The implications of GDPR go far beyond IT security. GDPR determines the way the company manages and protects business data and personal data, and relates to the implicit obligations in relation to the personal data available to the company. New is also the Accountability Principle, that if your company can’t demonstrate a clear effort for compliance to these regulations, the GDPR may impose severe fines. The question companies should ask is, how they are going to centralize, organize, manage and protect their data and adjust their internal procedures accordingly. Cronos Security has an ecosystem of more than 200 security experts, an SOC - Security Operations Center - a partnership with +30 vendors that can assist with the organization and implementation of the regulations. But let's first have a look at the different angles.
JURIDICAL For lawyer and data protection expert Florence de Villenfagne of ICTLex the European Regulation 2016/679 or GDPR (General Data Protection Regulation) starting on May 25, 2018 is not a revolution, merely an evolution. The privacy principles for the protection of personal data are updated and extended, but not changed. The revolution on the other hand happens regarding the new accountability principle - which imposes on businesses that they can demonstrate that they comply with the GDPR rules - and the administrative fines that can go up to 4% of the annual turnover to 20 million euros. What does personal data exactly mean? Personal data means all information about identified or identifiable individuals, who are called a stakeholder, an individual, a natural person, not a business. A full name and date of birth may
suffice. To anonymous data GDPR does not apply. As long as the person behind the information can be traced and identified, we speak of personal data. Personal data may be processed as long as it is done in a lawful manner, ie with a legitimate basis - a permission or another base - and with a specific goal in mind. Data may not be kept longer than necessary, must be accurate, must be protected and not to be handled differently than necessary for the intended purpose. Special categories of data that are more sensitive (such as health data) are therefore additionally protected by law. There is also the accountability principle? Following the GDPR, companies must identify and document their dataprocessing operations and categories of personal data, including what agreements have been made with subcontractors in relation to the datatransfers and exchange of data with third countries and what guarantees were provided for this purpose ... The GDPR keeps a risk-based approach. In certain cases, DPIAs (Data Protection Impact Assessments) need to be performed. DPIA’s are effect and risk analyses that focus on the risks and liabilities and the rights and freedoms of the persons concerned and include the planned measures to reduce those risks. The Data Protection Authority can request to control the DPIA programs in place. Companies will also have to report data breaches within 72 hours of discovery to the Data Protection Authority or privacy commission (www.privacycommission.be). And if the concerned data could involve a high risk towards the rights and freedoms of the listed individuals, the people involved will need to be informed personally. Theft of a computer or loss of a memory stick containing personal information is to be considered a data breach and should therefore be reported accordingly to the Privacy Commission.
“The GDPR assessment brings the program to life within the company and translates the right message to the right people involved.”
The GDPR also requires the creation of a new role? Enterprises will have to appoint a DPO or Data Protection Officer. This may be an employee or an outside consultant, but that role must have a guaranteed independence. The role of the DPO is to inform and advise on the obligations of the GDPR, ensure compliance with the regulation, advise on the DPIAs as well as have a contact function for the supervisory authorities (the Privacy Commission) and for the concerned individuals.
GDPR PRACTICAL With David Callebaut, of InfoSentry, part of Cronos Security, we have a closer look at the practical translation of the GDPR-regulatory processes towards the organization in terms of risks, governance and compliance. GDPR clearly involves more than IT. How to start with GDPR? For the practical implementation it is preferable to start, not from a clean sheet, but from the existing infrastructure and departments in place. Organize per department and division Privacy Awareness Sessions and spread the message top-down from the CEO towards the different working groups and individuals the GDPR needs to be strictly observed and implemented. Awareness, Ownership and Accountability are the key words of these sessions. The GDPR regulation requires the implementation of a central data register allowing the rights of the data subjects to be guaranteed by sufficient provable security of personal data. Internal processes must be adequately documented and to be followed exactly by the various departments. Being compliant, the risk management process will prove to be easier and faster to implement and to demonstrate.
14
How can the workers own the new procedures? New hire GDPR training and regular GDPR rehearsal courses are designed to train and brief staff adequately and continuously on the internal usage, issues and risks. Clear agreements on who does what with what authority and with what permissions have to be stated in each department. Can you give an example? In medium-sized companies a 5 to 7 day assessment is enough. Once completed, the assessment report can be used to socialize the governance rules towards the management. Define clear responsibilities (ownership) and through regular and thorough reporting to management ensure that the necessary priority and focus is maintained, and ensure the necessary support is being delivered by the management. The GDPR assessment brings the program to life within the company and translates the right message to the right people involved. Is there anyone who can take the lead in this? The GDPR legislation requires organizations to appoint a Data Protection Officer (DPO). As mentioned the DPO isn’t required to be an internal person. He/she needs to have the necessary knowledge of both IT engineering, IT Security, Risk Management and legal experience with privacy laws, including GDPR. It is estimated that 40,000 DPOs should be appointed to meet the GDPR. An outsourced person may be provided by InfoSentry in the form of DPO as a Service. In consultation with the client it is determined how many days the DPO as a Service will be present. On average, this may be 2 to 3 days per month. The DPO as a Service ensures compliance with the required GDPR, but can be combined and engaged as a security consultant.
GDPR OPERATIONAL Luc Delanglez from Datalumen, part of Cronos Security, focuses on the operational side of the GDPR story and focusses on Data Governance, Data Discovery, Data Security, Data Stakeholders and the required capabilties, the Data Subject Rights and Duties of data processor. How do you start? It is important to capture business processes and rules, to document this allowing to put the GDPR into practice and this starting from the communities of the different business departments. From the GDPR the regulatory policies are put in place to achieve the operational implementation, eg. Sensitive information like email addresses and bank details must be masked. It is crucial to know where privacy sensitive data resides.
How do you keep monitoring it? Data Discovery with tools and processes demonstrate where person sensitive information resides, what can be used to do risk classification of data. Risk analyses monitor the data flows, with use of a dashboard generating alerts the DPO is aware where action must be taken to saveguard and secure person sensitive data. For the production environment and towards certain roles person sensitive data can be masked dynamically. For every role within the company apply specific roles and accessrights in accordance to the nature, necessity and function of the data. If all data is stored and used centrally in one ERP, the GDPR application becomes more simple. Today at most corporations and on most users desktop, the data is spread over the different applications and departments, in lots of dispersed files and many folders. Being aware of this reality can help you grow the awareness of the urgency throughout your organization.
15
SECURITY AS A SERVICE MAARTEN WOUTERS
16
Our Story
Our History
Through our highly skilled ICT security experts Nynox offers security operations services such as penetration tests, vulnerability assessments and system hardening guides, as well as managed services including a 24/7 Computer security incident response team (CSIRT) and a managed SIEM solution keeping a continuous close eye on your environment.
While Nynox is new – founded in August 2016 –, we have an experienced team due to Nynox being founded as a joint venture from several specialized teams within IS4U and Hestia. IS4U has a history in offensive security while Hestia provides knowledge in the field of operations. The combination of these two gives us a unique approach to security services.
Our offensive side Nynox’s RED team evolved from the – IS4U – Security Services team, founded in 2009. With highly skilled security professionals trained in offensive security, we offer services ranging from run of the mill penetration testing and security web application testing to assessing SCADA implementations. With employees engaged in security (non-profit) organisations such as Brucon and OWASP; and mentoring in SANS courses such as GWAPT, GMOB, GPEN, GXPN and GCFA, we have a strong added value in any offensive security solutions we offer to our clients as we have great knowledge of the approach an attacker takes. Our defensive side Our Blue team aka Security Operations team grew from a leading IT Operations company – Hestia – that has had 15 years of experience in offering 24/7 support to IT organisations, including monitoring, incident and change management. Skilled in SIEM, endpoint protection, anti-malware, anti-virus and multifactor authentication solutions. Your concerns are our business. We have your back!
Our Services Nynox offers solutions to mitigate security incidents such as endpoint protection, anti-malware and intrusion detection and prevention solutions. Additionally, Nynox has a 24/7 CSIRT that assists business when an attack did occur and helps them assess and triage the situation. Lastly, Nynox provides customers with a managed security intelligence service based on IBM’s QRadar SIEM solution. SECURITY INTELLIGENCE Nynox provides customers with a 24/7 managed security intelligence service based on IBM’s QRadar SIEM solution. This allows us to continuously monitor your environment and react on any attacks or threats that might occur, it also helps us proactively defend your environment against any new attack vectors. FORENSICS Our certified computer security incident response team offers assistance when a breach does occur. The CSIRT helps our customers in assessing and triaging the situation, making sure they are up and running as fast as possible whilst also making sure the attack is properly mitigated. SECURITY SOLUTIONS Besides our services and operations we offer solutions that help safeguard your environment. Of course all these product offerings are configured and managed by our team of offensive and defensive security experts!
Endpoint security Protecting employee workstations and devices is important way to prevent infection throughout your organisation. Standard Antivirus is not enough anymore. To protect ourself against cryptolockers or nasty ransomware attacks we have to move to the next generation of Endpoint Protection. We can help you find the perfect solution for your needs. Multifactor Authentication Multifactor authentication and Identity & Access Management is our speciality, when talking about advanced (localised) biometrics or federated authentication based on SAML 2.0 or OpenID Connect (OAUTH 2.0), we offer solutions, services and architecture and analysis. Enterprise Mobility Management Either bringing your own device or managing company assets, mobile device management solutions have become a necessity in a modern-day organisation. We take the challenge of managing this and offering you a pay-as-you-use service to manage your mobile devices. Vulnerability Management It’s important to identify your networked devices and specify which have the highest priority. Asset management provides the workflow necessary to research, identify, and classify the assets that need to be scanned and monitored for vulnerabilities. Vulnerability management is key to any security strategy. The latest automated hacking tools can inflict damage across a network and across the world in a matter of minutes. Therefore, understanding the potential vulnerabilities within your system is vital to your security strategy. We offer a service on-premise or cloud to cover the asset discovery & vulnerability scanning & reporting. Email Security Email Security filters unwanted messages and protects mailboxes from targeted attacks. The service has selflearning capabilities and intelligence to deliver highly effective and accurate email security. Delivering always-on, inbound and outbound messaging security. Email Security helps protect organizations from email-borne viruses, malware, spam, phishing,targeted attacks, and bulk email. PENETRATION TESTING We have certified experts that can accommodate clients with any need they might have for a penetration test, being it a normal network or web application penetration test, or a more specialised test including physical security or SCADA implementations. The goal is always to document findings carefully and clearly and to provide insight on how to remediate the associated vulnerability.
17
Building a security architecture: our layers of protection ROGER SELS Since the early beginnings of the ARPANET in 1969 the authorities and the steadily growing nummer of service, software and hardware providers have been in a continuous search for common standards and set of rules in order to create order from the chaos and clarity from the darkness. The internet has evolved into maturity and into a world of its own, and like the real world, it obeys certain immutable laws. To allow governments, organisations, corporations and individuals to interact safely and securely there is the necessity for a common standard that can be adopted and behaved towards enabling all the actors to communicate and to organise transactions in a legal, orderly, and structured way. Around 40 % of the world population today has an internet connection: 3.569.067.757 users to be precise that last nanosecond I last checked http://www.internetlivestats.com. Hackers may see themselves as the Robin Hoods in the big data forest, no code of conduct will stop them. On the contrary, they are motivated to cross rules and borders, find the glitches and weaknesses in the security infrastructure and human behaviour, and sneak in and steal all data they can transact or are commissioned for. Obviously for these reasons within the corporate WAN and LAN environment there is no place for nonchalance, negligence, anarchy or hippie attitude. The big bad wolf could be lurking everywhere. Today the productionfloor OT environment blends in with the IT environment towards the cloud with Industry 4.0’ diagnostic and analytic Manufacturing Excellence Systems, robotisation, Asset Performance Manufacturing diagnostics solutions. The IT Director carries the responsibility and the duty to develop a detailed 360° end to end view, understanding and control of the corporate IT infrastructure, dataflows, data usage, protective wall of measures, BYOD’s. The lack of IT expertise, skilled personel, monitoringtools, internal procedures, user discipline and security measures will significantly increase the risk of intrusion, BYOD risks, phishing, malware, virus to weaken the corporate infrastructure, cause erosion of profits and ultimately snowballs into the loss of strategic advantage and ultimately the loss of market competitiveness.
18
As Cronos Security commits to deliver the highest IT security level of services with its own ecosystems of 200 IT security experts, our Security Operations Center and our privileged partnerships with more than 30 security providers, we have assembled all elements of the security architecture into a circular layered diagram. This gives an overview of all the end 2 end IT security architecture elements that matter. This is free to be used as a corporate operational checklist of conformity and control.
THE SECURITY ARCHITECTURE LAYERS In the approach of Cronos Security, security is builtup from different layers, each layer has its own focus and different approach.
Building the security architecture to your specific needs, your IT infrastructure will always be at the center of it. We recommend the ‘infrastructure security’ approach, consisting of the physical security layer (badges, guest registration tools or video surveillance are some examples of this), Network control and protection (NAC solutions, network segregation, Guest network),
Server and Host protection (not limited to Antivirus and antimalware protection, security on virtualization solutions or privileged access control policies), and Gateway checks ( Firewalls, antispam, DLP, URL control are most likely the most known technologies for this section). Having the right technology in place to protect your central IT environment, you will need to make sure you practice the essential follow-up and are able to map the events to the right identities and technologies. To achieve this an Identity and Access Management solution, linked to a Security Information and Event Management tool will need to be installed. The administrators operating the Security Operation Center will make sure all the generated events are correctly interpreted and when required acted upon. When necessarily they will hand over the actions to the Security Response Center who will intervene and technically act on the ongoing threats. For Cronos Security those two inner layers are ‘the core’ of the security solution and must always be present. Additionally to this, you can implement techniques and point-solutions that will provide you with some more flexibility, usability or performance. Off course, there are also specific solutions that will bring the security level to an even higher level. All competences we have and technologies we can cover are grouped in the figure. The two layers on the outside of the onion don’t have a focus on products or solutions, but are more focused on the processes and procedures you will need to have in place to setup, control and operate the security environment. They will outline the environment you are able to move within and describe the actions you are able to take.
19
BUILD A SOLID BASELINE
DETECT & REACT
-- Email control
-- Cybercontract (risk insurance)
-- Endpoint protection (antivirus, anti malware,...)
-- IDS / IPS
-- Information risk management -- Information security government -- Firewalling -- Network segmentation & acces control -- Physical access control & policies
-- Incident response centre -- Log management -- Managed security service -- Security information & event managenemt (SIEM) -- Security (network) operation centre -- Syslogging solution
-- Web control
CONNECT TO THE OUTSIDE
PROTECT YOUR USERS
-- Client & clientless VPN
-- Access management
-- DNS & DNSSec
-- Certificate authority system & certificate management
-- File synchronisation & sharing -- IPv6 -- Site-to-site VPN
-- Directory services -- Federation services -- Identity management -- Password management -- Privacy management -- Security awareness or technical training
20
KEEP YOUR BUSINESS GOING -- Anomaly behaviour profiling & detection -- Data archiving & legal hold -- DDOS migitation -- Domain and user privilege control & advise
KEEP YOUR DATA SAFE -- Advanced threat protection -- Database security -- Data discovery -- Data governance -- Data location advise
-- Endpoint management
-- Data loss prevention & protection
-- Link balancing
-- Data masking & tokenization
-- Security risk profiling
-- Data recovery
-- Software defined security
-- Digital right management
-- Time management
-- Enterprise mobile management
-- Web application firewalling & reverse proxy
-- File auditing -- Test date management
SECURE YOUR ENVIRONMENT -- Application security guidelines -- Digital forensics analysis -- Fire prevention -- Honeypot -- Industrial security -- Multi factor authentication -- Penetration testing -- Security audits -- Security policy management -- Single sign on -- Social engineering -- Video surveillance -- Vulnerability management (1-time, recurring, continuously)
21
The Digital Workspace LIEVEN VAN DE WALLE
Ensuring the availability and security of applications in the mobile workplace, it is required to pay sufficient attention to the accessibility of applications in networks and via the Internet. The modern workplace demands the assurance of sufficient bandwidth, ease of use, and security when promoting applications to users and customers, and over various carriers such as tablets, mobile phones, desktop PCs or mobile laptops. For shiftz, the advantages of our product range are at the network level - in ensuring the availability and security of applications and data to end users, irrespective of where they may be, and irrespective of the carrier they are using. In the workplace of today, home offices and the modern flexible workstation are increasingly becoming accepted. In the contemporary economy of global competition, most companies are convinced that it is time for them to introduce the transformation to the mobile workplace and online competition model. Windows constantly offers more applications, and there are an increasing number of web-based and SaaS applications. In the meanwhile, there are already as many as 6,000,000 Windows applications. In addition to Microsoft Windows applications therefore, we also offer modern HTML5 and Mobile Apps, locally on the laptop or on the tablet, hosted in the cloud or within an in-house data centre. That requires a different form of applications delivery that is no longer required to run only on the desktop PC at the office, or that is only available in the in-house data centre. For this reason, we at Shiftz are applying our expertise to deliver applications at the network level as well. How can companies securely provide all these applications to their employees at all times, wherever they may be, so that they are always assured of being able to work securely from anywhere? In the network and IT Security domain, this is done by Application Delivery Controllers.
22
This is made possible by Citrix NetScaler, the undisputed leader amongst application delivery controllers, according to Gartner’s Magic Quadrant. An application delivery controller (ADC) is a virtual or physical appliance in a data centre or cloud, which may be part of an Application Delivery Network (ADN), that takes over tasks from web servers for example, and optimises them in order to reduce or even to remove the quantity of web traffic or load on the web servers. ADCs also ensure the High Availability of the environment via load balancing or data centre load balancing (Global Server Load Balancing). ADCs often also have a role to play in the DMZ as Web Application Firewall or Reverse Proxy to protect internal (web) resources. In order to combine the availability and security of these applications, we install the Citrix NetScaler as Application Delivery Controllers at the network level. Via Citrix NetScaler, we can run more than 6,000,000 available Windows applications both on-premise as well as in the cloud, and optimise and secure the same for the end user. This also applies to the Webbased applications and SaaS applications. At shiftz, we use the Citrix NetScaler to optimise the experience of the applications for the end-user through coaching, compression, TCP optimisation, or even HTML code optimisation. With application firewall, TLS or Transport Layer Security, content switching, DDOS protection, authentication, we assure our clients of optimal security. shiftz gives customers an understanding of the end-user experience and we guarantee High Availability via Load Balancing or Data Centre Load Balancing. And finally, we save the user from 101 login tasks and obsolete VPN solutions by offering all applications at one portal. www.shiftz.be
“In the workplace of today, home offices and the modern flexible workstation are increasingly becoming accepted.� 23
SECURITY INTELLIGENCE SERVICE MAARTEN WOUTERS
Imagine, you head off to work on a Monday morning. Business as usual, until you get a phone call from the legal department stating that the company has suffered a data breach and sensitive costumer information was leaked. It is now 11AM and you just had a meeting with all parties involved to estimate the damages. Apart from the headache of sensitive data leaked, you also need to figure out how the breach happened and make sure it is contained. To top it all off, you are required to pay a hefty fine of €1,000,000 for non-compliancy with GDPR. You better call the misses, as it looks like you won’t make it home for supper. This scenario is not as farfetched as you might think. When handling personal data of any kind, all business operating in the EU will have to comply with the general data protection regulation (GDPR). GDPR states that organizations have a legal obligation to report data breaches, in addition they need to be able to report exactly what was stolen and how.
“Failure to comply can result in fines up to 20,000,000”
24
it is definitely a necessary step in securing your environment, a penetration test only provides you with a current state of affairs. A continuous process is necessary in addition to stay ahead of the curve at all times. The following graph from the Verizon data breach report 2015 illustrates this well: About 50% of all CVE’s (Common Vulnerabilities and Exposures) are exploited in the first 4 weeks after they have been published. A SIEM solution can identify these threats the same day as they are published, which makes getting the right countermeasures in place that much easier. Reducing the timeframe in which these CVE’s can be exploited significantly improves your continuous security.
2. On Premise
Failure to comply can result in fines up to 20,000,000 EUR or up to 2%-4% of the annual worldwide turnover, whichever is greater. This implies that a company needs to have the right measures in place to detect and prevent these data breaches, or at a minimum be able to report what has been stolen and how. Security Intelligence service helps detect attacks, it provides a clear view on what is happening in your environment. Any suspicious activity is logged and evaluated. Alerts are then generated based correlation and evaluation of priority. It will be very tough for an attack to go unnoticed when an incident response team is guarding it with a well configured SIEM on watch.
Besides a managed security intelligence service. It is possible to have a SIEM appliance installed on premise, follow up can be both on site or in our specialized security operations centre. In case something should go wrong, you can always count on our experts to provide, on-site if need be, support. All logged data will remain inside your company, you won’t have to worry about third parties using the information gathered. The installed appliance does not need to be an entire SIEM product stack. A solution can vary heavily on the needs and size of your business. This can be as simple as placing a single specialized log collector. In this scenario the logs will be securely forwarded to one of our tier 3/4 datacentres located in Belgium.
1. Penetration test
3. Services add-ons
Isn’t a penetration test or security audit enough to prevent data leaks, you might ask? Although
The more advanced installations of our offered Security intelligence service include multiple
different functions. The tooling integrates seamlessly with a vulnerability scanner. Information about vulnerabilities that are detected on assets are used to reduce false positives and find the root cause of an incident more effectively. A great addition to the event logs is flow monitoring, the security intelligence service can monitor connections that are established on the network by tapping traffic from a port mirror on a switch or by similar means.
4. Network flow analysis Flows provide information that logs can’t produce and they offer a complete view on your network. They help in detecting attacks using heuristics, mitigating zero day attacks. The most advanced feature is a forensics module that does a full packet capture of everything that happens on the network. This enables you to see even more and investigate cases in more detail. When this module is enabled it will also help you in providing more information to the correct authorities to aid in finding the culprit.
5. Your customized rules For all the custom functions that are not included in the product by default, we will offer extensions created by our skilled security specialists, to match your specific use cases.
6. Already have a SIEM? If you already have a SIEM solution in place, we can offer to integrate it in our offering and have it benefit from our expert SOC team. Next to some default packages that are available, we also offer a countless number of integration scenarios to fit your need.
7. Under the hood Showing our commitment to a quality service, we use the Gartner quadrant SIEM leading product – IBM QRadar. To guarantee the desired level of quality of our services we use top of the line technologies, this enables our experts to tackle each problem without unnecessary limitations. Additionally, our commitment with IBM gives us a firm foundation to build our platform to your specific needs and requirements. QRadar is currently based on Red Hat Enterprise and has been maintained by IBM since 2011. Almost 6 years of development created a mature product that is leading the charts.
8. Our Commitment In the current security environment staying up to date is critical. Changes in your network topology, new disclosed vulnerabilities, bring your own device,
and even updating the SIEM tool itself are but a small set of examples of changes that can occur.
“We take the heavy lifting of your shoulders.” We take the heavy lifting of your shoulders. All these changes require knowledge of both your environment, and the security landscape. By offering SIEM as a managed service we take the heavy lifting of your shoulders. It also integrates seamlessly with other services we offer. Many tools allow for log forwarding to SIEM tools, which give us more information to work with so problems can be solved more effectively. Included in our offering are the services our SOC offers, this team of experts will closely watch the events that are generated by your devices and report any anomaly and security issue that presents itself. They will also offer support in how to resolve each incident and how to protect against future attacks. What makes our SOC so unique is that the people involved are also involved in offensive security. We perform penetration tests in several areas of IT infrastructure and web applications, varying from IOT to industrial PLC installations. By executing the same attack vectors that are being used in the wild we gain an insight in how an attacker would exploit your network. We will also do research on attacks that are not yet known to gain more insight on what’s to come.
“Let’s not meet by accident.” All this experience helps greatly when tuning the SIEM rules, as we know where to look. It also allows us to respond to incidents faster and identify the source and impact of an attack more accurately. The SOC is located in Belgium which allows our team to offer on-site support in case of an incident. Also the initial process of getting to know your network and on boarding log devices will be facilitated by this fact. We offer a SOC that is available 24/7, attackers will not wait for you to start the business day so we won’t either. By being so closely involved we have the capabilities to quickly respond to any threat. We offer the intelligence to analyse and identify breaches, helping you reach compliancy, a safer environment and save you the cumbersome experience of managing security all on your own. Don’t wait until it’s too late. Contact us today for a detailed offering on our Security Intelligence service! Let’s not meet by accident.
25
CISCO 2017 ANNUAL CYBERSECURITY REPORT Executive Summary Adversaries have more tools at their disposal than ever before. They also have a keen sense of when to use each one for maximum effect. The explosive growth of mobile endpoints and online traffic works in their favor. They have more space in which to operate and more choices of targets and approaches. Defenders can use an array of strategies to meet the challenges of an expanding threat landscape. They can purchase best-of-breed solutions that work separately to provide information and protection. And they can compete for personnel in a market where talent is in short supply and budgets are tight. Stopping all attacks may not be possible. But you can minimize both the risk and the impact of threats by constraining your adversaries’ operational space and, thus, their ability to compromise assets. One measure you can take is simplifying your collection of security tools into an interconnected and integrated security architecture.
26
Integrated security tools working together in an automated architecture can streamline the process of detecting and mitigating threats. You will then have time to address more complex and persistent issues. Many organizations use at least a half dozen solutions from just as many vendors. In many cases, their security teams can investigate only half the security alerts they receive on a given day. The Cisco 2017 Annual Cybersecurity Report presents research, insights, and perspectives from Cisco Security Research. We highlight the relentless push-and-pull dynamic between adversaries trying to gain more time to operate and defenders working to close the windows of opportunity that attackers try to exploit. We examine data compiled by Cisco threat researchers and other experts. Our research and insights are intended to help organizations respond effectively to today’s rapidly evolving and sophisticated threats.
This report is divided into the following sections:
ATTACKER BEHAVIOR In this section, we examine how attackers reconnoiter vulnerable networks and deliver malware. We explain how tools such as email, third-party cloud applications, and adware are weaponized. And we describe the methods that cybercriminals employ during the installation phase of an attack. This section also introduces our “time to evolve” (TTE) research, which shows how adversaries keep their tactics fresh and evade detection. We also give an update on our efforts to reduce our average median time to detection (TTD). In addition, we present the latest research from Cisco on malware risk for various industries and geographic regions.
DEFENDER BEHAVIOR We offer updates on vulnerabilities in this section. One focus is on the emerging weaknesses in middleware libraries that present opportunities for adversaries to use the same tools across many applications, reducing the time and cost needed to compromise users. We also share Cisco’s research on patching trends. We note the benefit of presenting users with a regular cadence of updates to encourage the adoption of safer versions of common web browsers and productivity solutions. Cisco 2017 Security Capabilities Benchmark Study This section covers the results of our third Security Capabilities Benchmark study, which focuses on security professionals’ perceptions of the state of security in their organizations. This year, security professionals seem confident in the tools they have on hand, butthey are uncertain about whether these resources can help them reduce the operational space of adversaries. The study also shows that public security breaches are having a measurable impact on opportunities, revenue, and customers. At the same time, breaches are driving technology and process improvements in organizations.
CISCO 2017 SECURITY CAPABILITIES BENCHMARK STUDY This section covers the results of our third Security Capabilities Benchmark study, which focuses on security professionals’ perceptions of the state of security in their organizations. This year, security professionals seem confident in the tools they have on hand, but they are uncertain about whether these resources can help them reduce the operational space of adversaries. The study also shows that public security breaches are having a measurable impact on opportunities, revenue, and customers. At the same time, breaches are driving technology and process improvements in organizations.
INDUSTRY In this section, we explain the importance of ensuring value chain security. We examine the potential harm of governments stockpiling information about zero-day exploits and vulnerabilities in vendors’ products. In addition, we discuss the use of rapid encryption as a solution for protecting data in high-speed environments. Finally, we outline the challenges of organizational security as global Internet traffic, and the potential attack surface, grow.
CONCLUSION In the conclusion, we suggest that defenders adapt their security practices so they can better meet typical security challenges along the attack chain and reduce adversaries’ operational space. This section also offers specific guidance on establishing an integrated and simplified approach to security: one that will connect executive leadership, policy, protocols, and tools to prevent,detect, and mitigate threats.
DOWNLOAD THE CISCO 2017 ANNUAL CYBERSECURITY REPORT www.cisco.com/go/acr2017
27
intigriti: Ethical Hacking in Belgium STIJN JANS
Hacking: the word has rather negative and even frightening connotations. Despite this, intigriti – part of Cronos Security – aims to hack as many companies as possible, with their consent. This Belgian start-up brings our country into the new world of crowdsourced security. While working in his IT security company the Security Factory (tSF), founder Stijn Jans – part of Cronos Security – discovered a gap in the market. tSF specializes in penetration testing, or pen testing, of IT environments. During these pen tests, experts from tSF attempt to discover as many securityrelated errors and vulnerabilities as possible in the digital environments of customers. This type of service is essential to establish a baseline against known vulnerabilities and attacks. But how can these customers guarantee that they are informed about the safety of their systems the rest of the time?
PEN TESTING Thus grew the idea for intigriti. This new service welcomes ethical hackers with open arms. The goal: to fill the gaps between different pen tests with an inexhaustible source of security experts available to test your security on a more continuous basis. "During a pen test, you know that your security systems will come under pressure for a short period of time. As a result, you tend to fortify your environment, and its defences. But strong and effective security is equally important the rest of the time."
REAL REALITY "intigriti brings computer experts together who think like hackers. They know the tricks of the trade, and how discover and take advantage of the weaknesses in your virtual defences," founder Jans continues. "As opposed to a limited team of pen testers, you suddenly have a pool of hundreds of experts, who
28
more accurately simulate the real-world threat hackers pose to your systems. The wide range of techniques and methods allow a more realistic assessment of the on-going threat to your security. The key difference here is that the experts affiliated with intigriti are working to improve your security, whereas other hackers are operating with malicious intent to disrupt your systems, gain unauthorized access to your data, etc."
BETWEEN PEN TESTS Companies can use the intigriti platform to cover the gaps inherent to point-in-time pentests. Once subscribed, intigriti members determine the scope of the attacks performed by the ethical researchers. After the scope has been set, the experts affiliated with the platform are free to get started. "Today, more than ever, IT systems in companies are extremely dynamic. It is neither cost-effective, nor practically possible, to repeat conventional pen testing with a company like tSF after every configuration change. As a result, conventional pen testing is typically repeated following relatively large updates to your systems. For smaller changes and updates, it’s easy to post a project on our platform on demand. This costs much less than conventional pen testing, and puts the combined knowledge and experience of hundreds of ethical hackers at your fingertips. When adding a project to intigriti, subscribed members determine the fees ethical will hackers receive for exposing vulnerabilities, allowing the amount of rewards to be dependent on the severity of the issues discovered.
COST-EFFECTIVE ALTERNATIVE TO PEN TESTING As a member of the intigriti platform, there is no cost to post new projects. You pay only for the security testing that leads to the discovery of vulnerabilities in your systems. You set the amount offered to the
security testers, depending on the severity and potential impact. intigriti also offers a guide to help members set these bounties based on the current bug- and vulnerability-hunting market.
ETHICAL HACKING While the ethical hacking industry has existed for quite a while in the United States, in Belgium these activities are limited to professional companies offering formal pen testing services like tSF. Intigriti opens the ethical hacking marketplace to talented hobbyists outside this ecosystem. "Many hackers are driven by a passion to discover and learn, and test their skills. Rather than hacking to cause harm or damage, they practice it more like a sport to exercise and maintain their skills. A platform like intigriti can inspire more of these hackers and make their talents available to the market, providing a legal and profitable outlet to pursue their hobby. This is a positive trend, both for hackers currently on the margins of conventional pen testing, as well as for anyone who is threatened by them."
NEW BLOOD Intigriti is continuously looking for new experts to add to their portfolio of ethical hackers. The platform has been online for months now in beta form, and has just been updated with a visual redesign. Intigriti has an open call for anyone who is intrigued by security technology and has the necessary technical skills: "We are constantly looking for additional researchers who have an understanding of, and expertise with, advanced hacking. On our platform, you can showcase your talent and expertise, while earning a bit of money, and learning a lot. Aside from hackers, intigriti is also looking for innovative companies that are ready for this new landscape of security testing and would like to explore the market with us!
29
Meet the demands of your business and ensure efficient and compliant identity governance and access management OMADA IDENTITY SUITE
TIGHT CONTROL AND EFFICIENT COLLABORATION Businesses today operate in a climate of strict compliance and security requirements and face increasing demands for enterprise efficiency. The ability to establish easy and secure access to a multitude of IT systems and applications is a prerequisite for operating an efficient business. Additionally, rapid organizational change driven by new business development, re-organizations, divestures, acquisitions, and end-user demands such as access to cloud applications and bring-yourown-device support, calls for comprehensive identity governance and access management. Key challenges: >> Advanced infrastructure and increased complexity >> Increasingly strict compliance demands and regulative legislation >> Volatile threat situation >> Business requirements >> Collaboration and easy access to information is a strategic prerequisite for growth >> Increased demands to employees and skills in the IT department
30
HIGHLY CONFIGURABLE SOLUTION Omada Identity Suite provides a comprehensive integrated identity management and access governance solution. The solution empowers organizations to manage identities across heterogeneous IT-systems and offers a highly configurable data model that enables organizations to make changes and scale the IT platform according to business requirements. The extendable workflow designer easily extends data control to all systems and areas of the business, and built-in best-practice processes for core identity lifecycle management, compliance control, attestation, provisioning, and access risk management seamlessly adapts access control to business processes and reduces user management costs.
THE BUSINESS VALUE OF IDENTITY MANAGEMENT AND ACCESS GOVERNANCE IT Security:
Reduce Cost:
>> Protect sensitive data and business critical IP from accidental or illegitimate access, fraud and theft
>> Reduce the cost of maintaining cross-system access security
>> Enforce corporate policy across all data stores and establish full data access overview
>> Reduce the cost of adhering to the agreed security and risk levels within user and access management and protection of data and IP
>> Clean up data and monitor access privilegesIT department
Compliance:
>> Capture and clean access data to reduce license costs by finding and deleting unused or expired accounts
Efficiency:
>> Comply with regulatory compliance legislation like SoX, HIPAA, CoBIT, EU GDPR, ISO27001, BaFin and other country specific regulations >> Ensure that the invested compliance effort renders de facto control >> Ensure that access granted complies with corporate, best-practice, or SOD policies
>> Provide easy access via self-service access request portal >> Automated processes minimize errors caused by manual input and flawed data >> Support the business by onboarding new applications as required without compromising security policies and compliance requirements
OMADA IDENTITY SUITE Grow your business efficiently and securely. Omada Identity Suite provides a strong set of governance and administration features for identity and access that includes tools for the entire identity lifecycle process, access request processes, policy management, and attestation.
Happiest Customers Customer satisfaction is key to Omada and our solutions and services are highly rated.
Easy to Configure Highly configurable data model, which allows organizations to scale and make changes without changing the product.
Best Cost-Benefit Omada’s solution offers fast ROI and best cost-benefit among leading IAM vendors.
31
Integrated identity management and access governance SOLUTION OVERVIEW OMADA IDENTITY SUITE - REFERENCE ARCHITECTURE Omada’s solution empowers enterprises to manage identities across heterogeneous IT systems. The flexibility of the solution allows a high degree of configurability, enabling organizations to meet business specific requirements. This approach reduces the need for custom development, decreasing deployment time, so ROI is achieved quickly. Central to the Omada reference implementation approach and the Omada reference solution architecture is to enable large enterprises to get in control of users entitlements across a very wide range of systems, and at the same time enable them to stay in control for the future:
Identity Management Portal
Compliance Workbench
Surveys
SOD
ILM
Self-service
Desired state
Actual state
Role & Policy Engine
Auth. source(s)
AD
LOB App.
SAP
Web portals
Cloud
HIGH-LEVEL IDENTITY MANAGEMENT AND ACCESS GOVERNANCE FUNCTIONALITY
32
Identity Lifecycle Management Identity Lifecycle Management processes enable the granting of access rights according to defined roles, rules, and policies, including standard on-boarding, transfer, and off- boarding processes.
Self-Service Access Request Replaces labor intensive and inefficient manual requests by unifying access request processes in a user-friendly, configurable portal with multi-level approval workflows.
Application Lifecycle Management Automated processes enables on-boarding of new applications as a virtual resource including setting default access rights based on the existing IAM framework. Ensures the appropriate transfer of privileges and alerting of dependencies.
Policy and SoD Management Define policies for toxic combinations of access rights assigned, detect violations, and evaluate these to determine if the combination of access rights should be allowed or blocked.
Compliance Workbench Provides reporting and management dashboards for identity management and governance scenarios. The built-in analysis and reporting features deliver identity intelligence and answers to the basic questions of ‘who has access to what’, and ‘who approved that access’. Reporting and Analysis Cross system reporting and analysis is enabled through the Omada Data Warehouse. Identity and access is imported from the systems and applications across the enterprise for historical log, reports, recertification, validation against policy and reconciliation of actual versus desired state. Provisioning Supports automated provisioning and deprovisioning of users’ access. Target system provisioning can be automated from policy-driven
access rules and defined roles, or can be manual, supported by integration with a service desk solution. Omada offers a large range of standard connectors. Recertification Enables easy attestation for validation and approval of the current state of identities, account ownership, and resource assignments. The Recertification Engine allows for the definition of scheduled or event based attestation/certification as well as on-going periodical re-certification approaches. Password Management Enable easy password reset without contacting the helpdesk. The Omada Password Management solution enables synchronization of passwords across all connected applications, so the user only has one password to remember.
BEST-PRACTICE PROCESSES Built-in standard processes Omada Identity Suite is based on Omada’s process reference model which is built on concepts from COBIT and other process frameworks. Built in processes are available for identity lifecycle management, access management, and business alignment. All functional areas are bookended with full governance and administration processes for a complete IGA solution.
Implementation approach Central to the Omada reference implementation approach and reference solution architecture is to enable large enterprises to establish control of users entitlements and data access across a wide range of systems, and at the same time enable them to continuously remain in control. Imperative to achieving this goal is the ability to incrementally establish an IAM solution, perform necessary data cleaning, and to manage and control critical business systems. This will minimize the implementation risk and avoid big bang implementations and go-lives.
Omada is a market-leading provider of solutions and services for identity management and access governance. Omada enables organizations to achieve sustainable compliance, reduce risk exposure, and maximize efficiency. Omada’s solutions efficiently manage and control users’ access rights to applications and data - reducing IT costs and resource intensive administration processes. Established in 2000, Omada has operations in North America and Europe, delivering solutions directly and via a network of skilled partners and system integrators. Omada is recognized as a trusted advisor and has provided advanced identity management solutions for organizations with some of the largest and most complex IT infrastructures in the world. info@omada.net |• www.omada.net
33
sponsionre swas
z this maga by: sponsored
34
35
www.cronossecurity.be
36