ISE® West executive forum 2010
Trends In Identity and Access Management: Transforming Security into an Enabling Function
VP IT Governance & Chief Information Security Officer
MGM Resorts International
ISE® West Executive Award 2008 Finalist
The digital world is dramatically altering the way business gets done, resulting in numerous security challenges for organizations. The internal corporate network is now a connected web of people and devices as more employees work remotely; and partners, customers and vendors are given access to corporate systems and sensitive data. This connected business model many times means managing access for users the company knows little about. To complicate matters, cloud-based applications are on the rise, bringing more challenges to managing user security. Layered on top of these business considerations is the requirement to meet industry-specific standards and comply with regulations such as HIPAA, SOX and PCI. Businesses must prove accountability around data access and management.
As businesses mature, they must be able to manage rapid change, establish effective formal governance, and provide accountability through transparency. Identity and access management and compliance solutions form the cornerstone of an organization's governance, risk and compliance strategy and serve as a basis for transforming security into an enabling function. Implementing these programs can be complicated and time-consuming, but enterprises may be able to simplify the process and make tangible contributions to enterprise business goals if they consider vendors that are developing ways to integrate IAM offerings with other compliance solutions.
Dive deeper into the discussions and share your ideas with your executive peers:
- What are the characteristics of a world-class IAM program. Can IAM, IT and the enterprise peacefully co-exist. What does the future hold for IAM as it evolves.
- What role does identity management play in the cloud. What are the differences between traditional IAM and cloud computing IAM in terms of drivers and requirements. How are solution providers addressing cloud IAM needs.
- What are the best ways to articulate the business value of IAM programs. How can you develop a framework to link security and IAM strategy to business strategies.
- Discuss the emerging integration of IAM and DLP. What are the ways that IAM enables DLP, and vice versa. How does the integration make both systems more valuable.
- What are the capabilities and limitations of IAM audit functions. Is security information and event management technology an answer. If so, how can SIEM technology be used to fill IAM audit gaps.
- The value of service-oriented architectures is business agility. How might integrating IAM into SOA ease IAM deployments.
Outsourced or Outsmarted: How to Avoid the "Gotchas" in Outsourcing
Chief Information Protection Officer and
General Manager of Global Information Risk Management
It seems like a win-win: Outsource that non-critical function, save money, increase efficiency, tap into deep expertise and reap the rewards of having your IT teams focus on mission-critical work. But along with the benefits comes the need to provide outsourcers with access to sensitive corporate assets.
From offshore to near shore, front office to back office, network monitoring to HR, security challenges surface whenever business processes are moved outside of the confines of the firewall. Whether it be legal liability, compliance issues, brand risk or customer concern, the more eyes and hands you have on your data, the greater the risk of something going wrong. This problem is magnified by the fact that your data may be stored on many different computers and the people accessing your data may well be on the other side of the world.
Data risks and security challenges are an inherent problem for companies that outsource. While most outsourcing firms are trustworthy and responsible, some aren't. As the saying goes, “you can outsource anything except your liability.” So how do you align your outsourcing effort with business goals while protecting the data?
Discuss in this roundtable:
- What are some of the functions that organizations continually outsource that they shouldn't.
- Recognizing the red flags – what due diligence should you do and what are the warning signs you should heed in making outsourcing decisions.
- What best practices can organizations adopt to ensure control is maintained over the security of the company, its data and its operations.
- Negotiating contracts and service levels agreements – what are some of the “gotchas?” To what extent can you expect a vendor tailor its service offerings to your requirements.
- What are the earmarks of a good audit process and how deep should it reach into a vendor’s operations. Can you, should you, audit your vendor’s vendors? If so, how.
- What steps need to be taken to ensure adherence to privacy laws and state and federal regulations and industry standards.
- What are the prominent causes of failure, and how can you avoid the traps and pit-falls.
Secure Social Networking: Is there an App for That?
Information Security Officer
Facebook, Twitter, LinkedIn, YouTube, MySpace. Love it or hate it, social media is part of the business world and it’s here to stay. Social media empowers businesses to build a brand, expand their reach, connect with customers and partners and facilitate the “flow of business.” While leveraging online communities presents great opportunities, many security executives express frustration over the dilemma of how to make social media available for business reasons without exposing themselves to unnecessary security risks.
Employees toggling between “friending” on Facebook and “businessing” on corporate systems leaves a company open to the exposure of personal data in the workplace; the release of corporate data to the public; the risk of identify fraud; and a host of security, governance and compliance challenges. A perfect storm is brewing between the number of people using social media and the increasingly sophisticated malware attacks being launched to prey on the data. Now, with the proliferation of third-party applications for mobile devices, the complexity and diversity of security issues become even greater as users download unsecured applications and use mobile devices for personal reasons. Financial firm USAA, for example, allows customers to deposit a check from their mobile phones by using a "remote capture" of an image of the check.
Discuss how executives, security teams and vendors are developing technologies and best practices to prevent the inappropriate exposure and exploitation of personal and corporate data through social computing.
- What are the key drivers for developing a strategy for an organization around social networking in today’s blended environment.
- Gaining an understanding of social-application governance: what are the best practices and “gotchas” in building a social governance program that fits your organization’s culture and industry.
- From a lost phone to an insecure app, what special considerations and precautions should be given to mobile devices and cell phone security.
- What are the types of policies to build into your secure web gateway program—from application white listing, content filtering, etc.
- What are the best ways to optimize employee productivity with web application and filtering controls.
- Discuss best practices for methods to prevent information leaks and data loss.
Securing The Cloud: Is it Possible?
Vice President, IT Security, CISO
The benefits of cloud computing—accessing your data and applications stored on remote hardware by way of the Internet instead of keeping it all in your local workstation—still requires a leap of faith for many. But now that a workstation can go anywhere as a smart phone, a stripped-down Net Book or even an e-book reader, it's practically a virtual desktop operating in conjunction with a virtual server. If the user can be anywhere, so can the source for data and applications. Cloud computing represents a significant opportunity for enterprises to increase flexibility, gain access to best-of-breed applications, add capacity on demand and boost infrastructure resources – all at negligible cost.
As more information on individuals and companies is placed in the cloud, attention must be turned to how safe an environment it is and how we assess security and perceive risk. In the cloud, it’s difficult to physically locate where data is stored. While the cloud provider is the custodian, the data owner is still legally responsible for protecting the privacy and integrity of that data. Further, the “richer the pot of data,” the more attractive it is to cyber crooks. Security processes, once visible, are now hidden behind layers of abstraction. Even the most basic tasks, such as applying patches and configuring firewalls, may become the responsibility of the cloud operator, not the end user. While the intent of security remains the same - to ensure the confidentiality, integrity and availability of information - cloud computing shifts control over data and operations.
Dive deeper into the discussions and share your ideas with your executive peers:
- What best practices are emerging as organizations work their way through the “loss of control” issues as information is moved to a third party provider.
- What steps can security executives take to ensure that service providers implement, deploy, and manage security at an appropriate level.
- As organizations increase the number of cloud applications, the risk of undetected zombie accounts and over-privileged users increases dramatically. How can security executives take the pain and complexity out of user provisioning and management for cloud applications and keep control “inside the firewall.”
- As sensitive data gets moves to the cloud, what is the expectation of privacy issues and the impact of jurisdiction.
- What tough questions are you asking about data integrity and recovery; do you like the answers?
- What is the impact of e-discovery, regulatory compliance, and auditing on the capability to move your organization to this environment.
- What benefits and successes are organizations seeing; are the risks worth the rewards.