executive customer council 2017 - fujitsu aktuell€¦ · sources: symantec internet security...
TRANSCRIPT
0 © Fujitsu Technology Solutions GmbH 2017
Executive Customer Council 2017
30. und 31. Mai 2017 Würzburg
1 © Fujitsu Technology Solutions GmbH 2017
Sicherheitsarchitektur und -kultur als wesentlicher Bestandteil einer „Digital Enterprise Strategy“
Robert Mayer, CIO Office
Senior Director Information Technology Group EMEIA
Head of ITG Product Group Services
2 © Fujitsu Technology Solutions GmbH 2017
Agenda
Increased Demands: Security Frameworks in a Digital & Hyperconnected World
Enterprise Architecture: Integrated Security Architecture
Secured Identities: Identity Access Management
Evolving Lifecycle: Intelligence Led Security
Managed Services: Overview Security Offerings
Bringing it together: Information Security Management System (ISMS)
Food for Thoughts: Putting Security in the first place
3 © Fujitsu Technology Solutions GmbH 2017
Increased Demands: Security Frameworks in a Digital &
Hyperconnected World
4 © Fujitsu Technology Solutions GmbH 2017
Forrester: Top 10 focus areas for CIOs in 2017
relevant (8)
very relevant (9)
highly relevant (10) ; scale from 0 to 10
5 © Fujitsu Technology Solutions GmbH 2017
New Disruptive Technologies
Virtual Reality
Cloud Computing Internet of Things Machine Learning Artificial Intelligence
Cognitive Robotics 3D-Print Communication & Collaboration
6 © Fujitsu Technology Solutions GmbH 2017
The Risk of a „Hyperconnected World“
…and recent attacks
Sources: Symantec Internet Security Threat Report, 2016 and
UK National Cyber Security Centre (NCSC) and the US National Security Agency (NSA), 2017
Medical devices. Researchers
have found potentially deadly
vulnerabilities in dozen of devices
such as insulin pumps and
implantable defibrillators
Smart TVs. Hundreds of millions of
Internet-connected TVs are
potentially vulnerable to click fraud,
data theft and even ransomware
Cars. Fiat Chrysler recalled 1.4 Mio
vehicles after researchers
demonstrated a proof-of-concept
attack where they managed to take
control of the vehicle remotely
The cyber attack on power
supplies in Ukraine
The first confirmed case of cyber-
enabled disruption to electricity
supply on a regional scale
The Yahoo data breaches
Although the breaches happened in
2013-2014, they were revealed
only in 2016 and ultimately reduced
$350m off the sales price of Yahoo
The US Democratic National
Committee (DNC) breach
The sheer scale of the incident,
highlights the vulnerability of
political parties to cyber attacks
…and latest attack: The WannaCry ransomware attack started on Friday, 12 May 2017 and has
been described as unprecedented in scale, infecting more than 230,000 computers in over 150 countries.
Parts of Britain's National Health Service (NHS), Spain's Telefonica, FedEx and Deutsche Bahn were hit,
along with many other countries and companies worldwide.
7 © Fujitsu Technology Solutions GmbH 2017
By 2018 - New Legislation will drive Security Requirements Network & Information Security Directive (NIS) & General Data Protection Regulation (GDPR)
New Legislation Main Customer Tasks Prepare Now!
Network and Information Security Directive (NIS) • Harmonized requirements on
each Member State’s legislation
• Each member state must pass a national law based on the directive by 2018
General Data Protection Regulation (GDPR) • Regulation is valid as is in every
country from 2018 on
• Countries may add national extensions
• Open issue: is relevant law that of consumer’s or provider’s jurisdiction?
Information Systems and Data Governance • Evidence of policies and effective
implementation, e.g.
• Security Audit • Data Protection Impact
Assessments • Data Protection Officer to be
implemented
Reporting • Records of Processing • Specific reporting of security
incidents / data breaches without undue delay
Severe Fines • GDPR: 20M€ or 4% of annual
turnover
Governance, Risk and Compliance • Security Consulting, e.g.
Continuity & Resilience
• Data Protection, e.g. IAM, encryption
• MSS, e.g. vulnerability management, perimeter protection, content inspection
Assessments & Audits • Security Audits • Privacy Impact Assessment
Detect and Response • Cyber Threat Intelligence • SIEM enhanced by reporting
according to NIS/GDPR
8 © Fujitsu Technology Solutions GmbH 2017
Aspects of Security in a Hyperconnected World
CIOs need to consider
effective security
management strategies
backed up with appropriate
processes and technologies
Source: Fujitsu White Book
of Cloud Security
http://www.fujitsu.com/global/
Images/WBOC-2-Security.pdf
9 © Fujitsu Technology Solutions GmbH 2017
Internal Focus: Global CISO Organization
Partnering with CyberSecurity
Business Strategies Unit to launch
new security solutions
Founded Top Gun Training Program
for Fujitsu Executives and
Cybersecurity Professionals
Naoyoshi Takatsuna
Chief Information Security Officer
Akihiro Yoshida
Head of Corporate Affairs and Risk Management Unit
CISO
Office
Tom Duffy
Deputy Head of Corporate Affairs and Risk Management Unit
Deputy Head of Legal, Compliance & IP Unit
RISK MANAGEMENT & COMPLIANCE COMMITTEE
Jeff Meier
Americas
CISO
Craig MacPherson
EMEIA
CISO
Tsutomu Nishijima
Japan/Asia/
Oceania CISO
Regional CISO
10 © Fujitsu Technology Solutions GmbH 2017
Enterprise Architecture: Integrated Security Architecture
11 © Fujitsu Technology Solutions GmbH 2017
Connected Services to support Digital Transformation
Fujitsu’s Management Direction, October 27, 2016
12 © Fujitsu Technology Solutions GmbH 2017
Enterprise Architecture Lifecycle
Business
Objectives
Business
Strategy
Current
IT Landscape
Corporate
IT Strategy
IT Roadmap
Business
Processes
„AS-IS Evolution“ or „TO-BE Revolution“
Future IT Landscape
Business
Functions
Business
Demand
13 © Fujitsu Technology Solutions GmbH 2017
Enterprise Architecture Domains
Domain Description
Business Architecture The business strategy, governance, organization, and key business processes.
Application Architecture A blueprint for the individual applications to be deployed, their interactions, and their relationships to the core business processes of the organization.
Technology Architecture The logical software and hardware capabilities that are required to support the deployment of business, data, and application services. This includes IT infrastructure, middleware, networks, communications, processing, standards
Information Architecture The theory, principles, guidelines, standards conventions and factors for managing information as an enterprise resource. The structure of an organization’s conceptual, logical and physical data assets and data management resources.
Security Architecture the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization's security processes, information security systems, personnel and organizational units
Service Architecture The principles, structure and financial characteristics of the current and future services.
People Architecture The organizational alignment and role models required in an organization to govern or provide business and IT related services
14 © Fujitsu Technology Solutions GmbH 2017
Enterprise Architecture Domains
Domain Description
Business Architecture The business strategy, governance, organization, and key business processes.
Application Architecture A blueprint for the individual applications to be deployed, their interactions, and their relationships to the core business processes of the organization.
Technology Architecture The logical software and hardware capabilities that are required to support the deployment of business, data, and application services. This includes IT infrastructure, middleware, networks, communications, processing, standards
Information Architecture The theory, principles, guidelines, standards conventions and factors for managing information as an enterprise resource. The structure of an organization’s conceptual, logical and physical data assets and data management resources.
Security Architecture the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization's security processes, information security systems, personnel and organizational units
Service Architecture The principles, structure and financial characteristics of the current and future services.
People Architecture The organizational alignment and role models required in an organization to govern or provide business and IT related services 2017: Main Focus is on the „H“ !
15 © Fujitsu Technology Solutions GmbH 2017
Secured Identities: Identity Access Management
16 © Fujitsu Technology Solutions GmbH 2017
Increasing Importance of Digital Identity
17 © Fujitsu Technology Solutions GmbH 2017
Consolidation of >100 Domains in One Global Active Directory
18 © Fujitsu Technology Solutions GmbH 2017
Addressing the Identity Theft Risk with a Secured Central Administration Platform
19 © Fujitsu Technology Solutions GmbH 2017
Evolving Lifecycle: Intelligence Led Security
20 © Fujitsu Technology Solutions GmbH 2017
Cyber Defences result in …
21 © Fujitsu Technology Solutions GmbH 2017
… Intelligence Led Security
22 © Fujitsu Technology Solutions GmbH 2017
End-to-End Attack Points: Endpoint – Transfer – Data Center
23 © Fujitsu Technology Solutions GmbH 2017
Managed Services: Overview Security Offerings
24 © Fujitsu Technology Solutions GmbH 2017
CyberSecurity Business Strategies Unit Fujitsu EMEIA Security Offerings
25 © Fujitsu Technology Solutions GmbH 2017
The Answer to Security is in the Palm of Your Hands
With Fujitsu’s PalmSecure technology,
people can confirm their identity
by scanning their unique palm vein
pattern. Security no longer revolves
around authenticating passwords;
it’s all about authenticating people.
It simplifies procedures,
reduces costs
and, most importantly,
increases security.
25
Position hand
over sensor
Sensor focuses &
detects live hand
Hand is scanned
with near-infrared
light and vein
patterns
are captured
Hand veins are recorded and
compared with pattern stored
either locally (e.g. SmartCard)
or in a database
How palm vein security works
26 © Fujitsu Technology Solutions GmbH 2017
Why Biometrics is the right choice for IAM
Precision of Biometrics
Biometrics clearly is the superior method for processes requiring authentication
27 © Fujitsu Technology Solutions GmbH 2017
PalmSecure at a glance
Very hygienic because contact-free
Easy and intuitive operation
High level of privacy because hidden under the skin
Palm veins are complex >5 million reference points
Palm has thicker veins than fingers – easier to identify
Palm veins are not sensitive to external factors
Hidden under the skin
Unique (even in the case of twins)
Traits do not change for entire lifetime
Live hand detection: only used if blood circulation detected
1 Highest level of security & performance
Extremely precise
Accepted everywhere 2 3
28 © Fujitsu Technology Solutions GmbH 2017
Information Security Management System (ISMS)
EMEIA Operating Model
EMEIA Governance Framework
EMEIA Security Governance Model
Information Security Implementation
• Creation of EMEIA Security Framework
• Definition EMEIA Security Audit Strategy
• Launch of the EMEIA wide ISMS
• Awareness Training (Fujitsu International Online Learning Application)
• Alignment of basic Security Processes (Incident, Risk, Comms)
• Planning and performance of Security Audits
• Management Review (ECSF = EMEIA Cyber Security Forum)
29 © Fujitsu Technology Solutions GmbH 2017
Food for Thoughts: Putting Security in the first place
30 © Fujitsu Technology Solutions GmbH 2017
Aktuelle abschließende Gedanken …
Gibt es einen Mindeststandard für Mobile Device Management ?
Security Patch Management von Milliarden IoT Devices ?
CISO Studie: „Im Schadensfall sind die Kosten Faktor 100 größer“ ?
Bundeswehr stellt Cyber-Truppe in Dienst ! – Wer hätte das gedacht: Israel ?
Arbeitsmarkt IT-Sicherheit: Security-Fachleute werden langsam zur Mangelware -
Sicherheitsingenieure und Hacker verstärkt gesucht ?
(Public) Cloud und IT-Sicherheit / IT-Compliance ?
Cyber Security: Enabler für neue Geschäftsmodelle ?
Industrie 4.0: Industrial Security Operation Center (SOC) ?
Agile, dynamische Sicherheitskonzepte: Sicherheit auf Knopfdruck ?
Wie wird der ‘Mega Security Breach’ in der Zukunft aussehen ?
31 © Fujitsu Technology Solutions GmbH 2017
Thank you for listening!
32 © Fujitsu Technology Solutions GmbH 2017
Contact:
Robert Mayer Head of ITG Product Group Services
Information Technology Group (ITG), EMEIA
Bürgermeister-Ulrich-Straße 100, 86199 Augsburg
Tel.: +49 (821) 804 2043
Mob.: +49 (171) 2250393
Fax: +49 (821) 804 8 2043
E-mail: [email protected]
33 © Fujitsu Technology Solutions GmbH 2017