Transcript Information Security in Real Business

Information Security in Real
Business
Yuri & The Cheeseheads
Review of the problem statement and
existing work

Assessing and managing third party vendor
security requirements and practices for
outsourced services

Existing solution




Established Vendor Review Process
Technical Infrastructure Evaluation
Scheduled Reviews & Onsite Visits
Contractual Obligations
Review of the problem statement and
existing work
Source: Forrester Research, and Infosys Analysis
Real World Problem – VCNA

E-Commerce Portal





Technical Literature
Integration with Production Lines – VINs
Help System
Payment Processing
VIDA Software Downloads and Configurations
Real World Problem – VCNA Cont…

Security Concerns





Personally Identifiable Information
Complete VIN List
Credit Card Processing
Trade Secrets – Software Configurations
Governing Bodies



EPA/CARB
PCI
Ford Motor Company
Technical Solution
Personally Identifiable Information





Entire site is encrypted using SSL
Passwords are encrypted in database
Customer is segregated on individual VLAN
Backups are encrypted and shipped off-site
Complete VIN List



Encrypted
Secure Transmission to Locksmiths
Credit Card Processing


Industry Standard Encryption
Technical Solution Cont…
Trade Secrets – Software Configurations

Software Subscriptions

Secure Login from Public Internet



All information is passed via https
Passwords are encrypted in database
Configured in Sweden per Order




Software is placed in shopping cart
Order is passed to Volvo (Sweden) over a VPN
connection
Configured Software Request is Sent Back via VPN
Technical Solution Cont…
Trade Secrets – Software Configurations

Sold Via E-Commerce Application

Software is Purchased using Credit Card



Transmitted to Ford Network

Software Request is sent to Ford





SSL Encryption
Verisign Integration
Uses VPN connection with Limited IP and Port Number
Request is Dropped into Message Queue
Configured Software is Downloaded from Ford
Installed on Cars for Diagnostic Testing
Network Diagram
Business, Risk, and Cost Considerations

Benefits of outsourcing services/data

Cost savings



Consistency of quality
Expansion of business line


Economies of scale
E-Commerce site
Risks

Data security

Costs of a data breach – Survey conducted by Ponemon Inst.



$197 per company record
Average total $6.3 million per breach
Ranged from $225K to $35M
Feasibility

The outsourcing vendor has the same incentive to
secure the data

Breach of their customers’ data will be just as damaging to
them as to the customer



Loss of revenue
Loss of reputation
Costs of securing data is low compared to the cost
of breach

1 year of SSL Validity – VeriSign.com

$400 - $1600 per server


Varies based on trust level, security level, encryption strength
Increase in competition will require vendors to
provide adequate security levels
Legal Considerations

Legal Compliance



SOX
EPA/CARB
PCI
Conclusion

As long as we need to outsource data, we
need to continue to balance security with
usability and ensure that our vendors have
the proper level of security in place for the
data they have
Q&A