Mobile, Big Data, Social Platforms, Cloud: la Sicurezza IT al centro della Terza Piattaforma

Transcript

1 Mobile, Big Data, Social Platforms, Cloud: la Sicurezza IT al centro della Terza Piattaforma Security Summit Milano 2015 Fabio Rizzotto Senior Research and Consulting Director, IDC Italia

2 55% delle aziende europee ha avviato progetti di riorganizzazione IT negli ultimi 12 mesi. 50% delle aziende europee ha creato una nuova struttura dedicata all Innovazione. Fonte: IDC's European IT Executive Survey, 2014 (n = 1,310) 2

3 Shadow IT: What Your Clients Do Not Know Will Hurt Them 6 % 6 % I6 % 6 According to According IT: According to IT to Business: Percentage of technology Percent of Technology Percentage of technology spending that is shadow Spending that is Shadow spending that is shadow Source: IDC Business Technology Study, May 2014 and IDC CIO Sentiment Study, January,

4 Dove va a finire l Information Technology.. IT-enabled business processes Automating business processes IT-enabled services Transforming business processes IT-enabled products Creating IT-enabled products Degree of innovation 4

5 Trasformazione guidata da Terza Piattaforma Digital & IT enabled product & services IT enabled business processes 5

6 Nel frattempo però...le aziende sono esposte e gli attacchi aumentano Sony Picture Entertainment (The Interview, 40GB vs 100TB, Guardian of Peace, North Korea?) Belgacom (Regin malware, European Parliament, GCHQ/NSA) Social Arena (Snapchat/iCloud/Twitter, beware what you share, reputation...) Infrastrutture compromesse (Factoring Attack on Rsa-Export Keys Vulnerability, Equation Group) 6

7 Complexity of attacks Lo scenario dei rischi emergenti Governative agency Influence-oriented Hacktivism Resource-oriented Frequency < 1/10 Industrial espionage, organized crime Common People Frequency > 1/5 Frequency of attacks 7

8 Not behind my firewall 8

9 Western European Organizations: priorità di business Could you rate the following business initiatives in terms of how much they are leading your company's business agenda for the next 12 months? (1 = "not at all important" and 5 = "most important")? WESTERN EUROPE BUSINESS PRIORITIES S E N S I T I V E D A T A P R O T E C T I O N R E G U L A T O R Y C O M P L I A N C E S A L E S P E R F O R M A N C E I M P R O V E M E N T R E D U C I N G O P E R A T I O N A L C O S T S C U S T O M E R C A R E E N H A N C E M E N T I T O R G A N I Z A T I O N C O N T R I B U T I O N T O B U S I N E S S G O A L S P R O D U C T O R S E R V I C E I N N O V A T I O N S U P P L Y C H A I N / P R O C U R E M E N T E F F I C I E N C Y M A R K E T I N G E F F E C T I V E N E S S I M P R O V E M E N T M U L T I C H A N N E L D E L I V E R Y S T R A T E G Y E N E R G Y E F F I C I E N C Y / G R E E N / S U S T A I N A B I L I T Y O R G A N I Z A T I O N A L R E S T R U C T U R I N G O R M & A A C T I V I T I E S 9

10 Consumerization of IT and IT-ification of Consumers ENTERPRISE Cloud Computing BLENDED CONSUMER/ EMPLOYEE Mobility Create Many Types of Content on Many Devices 10

11 Cloud: una realtà già consolidata L 80% delle aziende mondiali ritiene che trasformerà nei prossimi 5 anni almeno il 50% del proprio ambiente infrastrutturale e applicativo in un modello Cloud Secondo l IDC European CloudTrack Survey, il 97% delle aziende europee è coinvolto a vari livelli nel Cloud (dalla fase esplorativa fino a adozione di modelli Public, Private o Ibrida) Secondo recenti indagini IDC Italia, il 40% delle aziende italiane utilizza già servizi Cloud Circa il 40% delle aziende è interessata a fare bundling di soluzioni Saas con altri servizi Cloud Utilizzando Servizi Cloud, il 39% delle aziende ha incrementato il fatturato grazie a una più rapida ed efficace creazione di prodotti e servizi innovativi 11

12 ..ma ci sono sfide legate alle Sicurezza Principali sfide relative alla Sicurezza degli ambienti Cloud Perdita/sottrazione dei dati Gestione identità e accesso Disponibilità dei servizi Cloud Data privacy/gestione compliance Localizzazione dei dati 50% 55% 60% 65% Fonte: IDC's 2014 European Software Survey, n = 1,309 12

13 IT Security Concerns in Italia: Necessità di espandere le risorse QUALI SONO LE PRINCIPALI CRITICITÀ DI SICUREZZA IT DELLA SUA AZIENDA? I N S U F F I C I E N Z A D E L B U D G E T D E D I C A T O A L L A S I C U R E Z Z A I T M A N C A N Z A D I C O N F O R M I T À D E I D I P E N D E N T I A L L E P O L I C Y S U L L A S I C U R E Z Z A M A N C A N Z A D I U N A S T R A T E G I A D E L L A S I C U R E Z Z A E D I P O L I C Y A D E G U A T E P R E S S I O N E C R E S C E N T E D I A T T A C C H I S E M P R E P I Ù S O F I S T I C A T I I N A D E G U A T E Z Z A E R A P I D A O B S O L E S C E N Z A D E L L E S O L U Z I O N I D I I T S E C U R I T Y D I F F I C O L T À N E L G A R A N T I R E A L L A S I C U R E Z Z A U N S U P P O R T O 2 4 X 7 C A R E N Z A D I P E R S O N A L E Q U A L I F I C A T O S U I T E M A D E L L A S I C U R E Z Z A I T P R E S S I O N E C R E S C E N T E D E L R E G O L A T O R E P U B B L I C O 0.0% 10.0% 20.0% 30.0% (IDC Italy, 2015, n=110, Mid-large Enterprise) 13

14 IT Security: ancora pochi investimenti in «next generation» solutions PRIORITÀ DI INVESTIMENTO NEL % 10.0% 20.0% 30.0% 40.0% B U S I N E S S C O N T I N U I T Y & D I S A S T E R R E C O V E R Y S T R U ME N T I D I S I C U R E Z Z A T R A D I Z I ON A L E S E R V I Z I D I S I C U R E Z Z A I N T EL L I G E NT E S E R V I Z I D I S I C U R E Z Z A G E S T I T I (IDC Italy, 2015, n=110, Mid-large Enterprise) 14

15 Securing IT s Four Pillars Cloud Mobile Social Networks Big Data (Threat Intelligence) Early detection & mitigation of targeted, unknown attacks. Granular logging and policy enforcement of internal and external regulations. Predictive Privileged Access Management, Federated Identity, Multi-factor Authentication, Data Protection, & Vulnerability Assessment Strong Authentication, Data Protection, Web/Messaging SaaS, & SSO Data Loss prevention with data protection, global regulatory policy monitoring, & real-time policy enforcement & education Raw & analyzed threat feeds from multiple sources integrated with management consoles Proactive VPN, Single Sign- On, Encryption, & Strong Passwords Mobile Device Management Keyword-based monitoring & logging Network monitoring and SIEM Reactive Access control Device Password Acceptable Use Policy Signature-based detection 15

16 The rise of Security Market 16

17 Quale è il vostro stadio di IT Transformation? Traditional Security approach Core IT Ad Hoc 6% No effort between business and IT to coordinate or incorporate 3rd Platform Core IT technology 40% Opportunistic 2nd Platform IT Uncoordinated efforts between business and IT around 3rd Platform implementations; limited progress toward 3rd Platform adoption 2nd Platform IT Repeatable 27% 3rd Platform IT Coordinated efforts between business and IT around 3rd Platform implementation allow organization to keep pace with peers in 3rd Platform adoption 3rd Platform IT Managed Business Innovation Effective partnership between business and IT around 3rd Platform implementations allows organization 15% to outpace competitors through the use of 3rd Platform Business Innovation 67% of organizations are operating at a 2nd Platform IT or 3rd Platform IT transformational stage Optimized Next Generation Security approach Business Transformation Highly orchestrated interaction between business and IT around 3rd Platform implementations, enabling a world-class organization with lasting competitive advantage driven by 3rd Platform transformation and an organization that has embraced it. 4% Business Transformation n = 156 Source: IDC's Enterprise IT Transformation MaturityScape Benchmark Study, August,

18 Il mondo corre veloce...verso nuovi (eco)sistemi Fantasia o realtà? Disegno un nuovo prodotto grazie a processi di engagement su canali social, costruisco strategie di marketing e vendita con la correlazione di dati da fonte diverse, realizzo il prodotto con stampanti 3D, consegno tramite droni, consento mobile payment, faccio formazione e assistenza tramite realtà aumentata.. 18

19 e l evoluzione sarà sempre più rapida Realizzare oggetti fisici partendo da progetti digitali Connettere in modo più semplice e potente le persone e la 3 rd Platform attraverso voce, immagini, movimenti touch e altro Trasformare la conoscenza del mondo digitale in azioni nel mondo fisico attraverso robots, self-driving car, droni, nanobot Iper connessione di auto, palazzi, case, attrezzature industriali, wearables strumentazione medica Sistemi che osservano, imparano, analizzano, offrono suggerimenti e creano nuove idee Una nuova generazione di tecnologie e soluzioni di sicurezza, disegnate per tenere il passo con l'espansione della 3rd Platform 19

20 Next Generation Security: Accelerates or Obstructs Innovation? IoT-based robotics & drones connected to cloud, mobile, and social Natural Interfaces driven by biometrics in mobile 3D Printing compliance controlled from the cloud Cognitive systems and analytics bolster predictive analysis & threat intelligence 20

21 Perché abbiamo bisogno di una nuova sicurezza IT 3rd Platform focus on User Experience (UX) vs. cost vs. shared risk across multiple platforms 2nd Platform focused on risk and cost across PCs and servers 1st Platform focused on risk-based access on centralized servers and terminals 21

22 Security is Always an Elastic Compromise 22

23 3rdPlatform Security Dynamics: Cloud and Mobile 3rdPlatform Dynamics: Cost Savings Outweighing Risk 3rd Platform Dynamics: User Experience (UX) Trumps Cost, but Risk is a Sharply Rising Concern Risk Cost Mobile UX 23

24 3rdPlatform Security Dynamics: Social and IoT 3rd Platform Dynamics: User Experience is Paramount, but Awareness of Risk is Growing. 3rd Platform Dynamics: Risk is Critical and Defined by Safety of Personnel and Reliability of Operations. Risk Risk Cost Social UX Cost IoT UX 24

25 A single department or a business unit ORGANIZATIONAL IMPACT Multiple departments IDC FutureScape Perspective on Security IDC s CIO Agenda Top 10 Decision Imperatives on IT Security or business units Companywide Legend: 1. Risk-based budgeting 2. Biometric ID 3. Threat Intelligence 4. Data Encryption 5. Security SaaS 6. User Management 7. Hardening Endpoints 8. Security as a feature 8 9. Software Security Executive Visibility TIME (MONTHS) TO MAINSTREAM Note: The size of the bubble indicates complexity/cost to address. Source: IDC,

26 Chi è responsabile della sicurezza IT? Dipartimento IT generale 60% Gruppo Sicurezza 30% Servizio gestito 10% 26

27 Competenze sempre più sofisticate New Skills Advanced Skills Basic Skills Malware analysis Data mining & analysis Machine learning Project mgmt Security Standard Implementation Hacking Practices Network Administration Scripting/ programming Software Vulnerabilities 27

28 Data Privacy, Compliance, Regulations In attesa della nuova EU Data Protection Regulation New (draft) regulations, cornerstones Sanctions Data transfers to non-eu countries Right to erasure Explicit consent Data Protection Officer Profiling 28

29 Have CISO's Been Invited to the (Board) Table? Frequency of interactions with their respective boards of directors IDC found that 42% of CISOs were reporting to their company's board of directors on a quarterly basis On the other hand, there are still 12% of organizations in which the CISO has never addressed its board How the frequency level has changed over past years 62% of security executives surveyed believe that the frequency of communications has increased and the impact has been positive 11% of CISOs responded that the impact was positive though the frequency did not change Source: IDC's State of the "C" in CISO Survey,

30 Incident notification and disclosure: CISO vs Board Have you ever had to notify senior management of a breach? Have you ever disagreed with senior management about the need to disclose a breach? Yes 78% Yes 45% NO 22% NO 55% Source: IDC's State of the "C" in CISO Survey,

31 Conclusioni Web / Internet: da nuova frontiera a strumento di controllo L industria e l ecosistema del cybercrime sono più sofisticati, potenti e collaborativi della maggior parte di imprese e istituzioni Regulations necessarie, ma non sufficienti Aumentare il livello di attenzione nelle organizzazioni (verso l alto e orizzontalmente) con adeguata preparazione ma senza rigidità Predictive Security è necessaria, il Cloud può dare una mano Approcciare la Sicurezza nei futuri scenari economici richiederà bilanciamento tra molteplici fattori (improving user experience, reducing risk, lowering costs, etc..) 31

32 Fabio Rizzotto Senior Research and Consulting Director IDC Italia IDC Visit us at IDC.com and follow us on 32