Business white paper

Rethinking
your enterprise
security
Critical priorities to consider

Table of contents

3 Executive summary
3 Change your security posture
4 The problem with a traditional approach to security
4 Build a sustainable security ecosystem
5 Start the journey to end-to-end security
5 Address the critical security priorities
7 Rethink your security strategy
8 Find out more

Executive summary
Technology is the fabric of the global community. And information
is the worlds most valuable commoditynow created, consumed,
and delivered with always-on connectivity.
The fact is that the world is constantly evolving, and always connected,
and your enterprise must be too. A business that embeds technology
into everything it does positions itself to meet whatever challenges
come along. But in a world where everything and everyone are
connected, that business can be open to harm.
Responding to continuous opportunity means you have to be
constantly aware: one step ahead of cyber attacks, and one step
ahead of security breaches. Your enterprise needs to be always
aware and ready to respond to the associated risks, so that you
avoid compliance issues, financial loss, and reputation damage.
Security for todays enterprise is not just about malware and
firewalls. As every chief information security officer (CISO) knows,
threats are now more persistent, sophisticated, and unpredictable
than ever before. CISOs also know that, in reality, it is impossible
to fully secure everything. Forward-thinking enterprises realize
that they need to focus on a sustainable approach to security
and risk managementone that is designed to address the new
wave of vulnerabilities that prevail due to increasing trends in IT
consumerization, mobility, social media, cloud computing, cyber
crime, and nation-state attacks.
HPs approach to helping you navigate these vulnerabilities is to
help you assess, transform, manage, and optimize an end-to-end
security environment.

Change your security posture

Every business decision has inherent risk, and it is essential to
understand and make decisions based on the cost and potential
value of that risk. CISOs no longer lay awake at night worrying
just about defending their organizations perimeters and the latest
worm outbreak. The challenges facing security leaders today are far
more complex.

Consider these recent trends and their impact on risk:

Consumerization
Todays employees bring personal devices to work and take work
devices home. For many, there is no longer a hard line between
work and home devices. This can present challengescontrolling
network access, identity, application permissions, and other
elements is much more difficult than ever before.
Mobility
Working at home, on an airplane, or in another city or country has
become commonplace. Now data has a level of mobility never
experienced before, yet laptops, tablets, phones, and even printers
must accommodate secure operations.
Cloud
CIOs see the benefits of cloud computing: leveraging standardized
applications, reduced maintenance, pay-per-use models, and
reduced capital expenditures. But risk is inherent with cloud
services. Not only must CIOs maintain things such as compliance,
privacy, and transaction integrity, but they must also extend these
across the service supply chain that comprises the cloud services
they are using.
Cyber threats
The range and potential damage of cyber threats increase
every day. Between the dangers of nation-state attacks, the
unpredictability of hacktivism, and the burgeoning market
that surrounds cyber criminals, every enterprise must take a
defensive posture and assume it is under attack. Furthermore,
unlike the simple viruses and malware of the past, most of the
most damaging cyber attacks are low and slow: multiple points
of entry are plotted slowly over time, avoiding individual detection
while collectively posing a serious threat of surreptitious damage.
Social media
Sharing of information across social media can seem innocuous.
Yet when you consider the data that might be shared on Twitter,
Facebook, or LinkedIn coupled with the ability to aggregate
and correlate that data, its much easier than ever before to
inadvertently expose sensitive information. Further, social
engineering has taken risk to a new level. Emails that appear
to come from a friend or colleague can disguise any number
of exploits, from malware to information exposure.

Consider todays reality for most enterprises:

Compliance infringement can be very expensive, and
being compliant is difficult because most data breaches
happen as a result of third-party mistakes. Its also
difficult to keep up with industry, regional, and local
regulations at once.
F inancial loss comes in many forms, with the
average cost now associated with a data breach in
the United States at US$6.75 million.
R
 eputation damage is another major concern, and many
enterprises are realizing that it is hard to quantify your
reputation until it is damaged.

The problem with a traditional

approach to security
Over the years, as systems, software, and the Internet have evolved,
the approach to information security has followed right along. In most
enterprises, each new project or program includes some measure
of security, often added at the tail end of implementation. This
has given rise to todays security market; today, there are literally
thousands of security vendors, technologies, and solutions available.
There is security for the network, for servers and storage, for data
and content, for identity and access management, for encryption,
for application security, and more.
Because security has traditionally been a project afterthought, most
enterprises currently support a wide array of unrelated products
and uncoordinated processes. Point solutions provide point data,
actions, and reports; however, they can only address specific point
objectives and decisions. This traditional approach to accumulating
one-off security technology has left the enterprise with a variety
of security point solutions that address only a sampling of its point
security vulnerabilities.
Furthermore, security is scattered across silos, business units, and
functional areasincluding IT, accounting, legal, HR, and the security
office itself. Compounding this situation is the maze of compliance
needs and regulationsboth industry-specific (such as HIPAA for
healthcare) and cross-industry (such as PCI)all of which increase
the burden for the CISO.
The lack of coordination between people, process, and technology
results in significant blind spots for an enterpriseblind spots that
attackers are all too happy to exploit.
Clearly, continuing to pile on more software, more processes,
and more stopgap measures is not a viable solution. The fact is
that threats have become more common, more complex, and
more costly. Thats why nearly half of all enterprises now have a
designated CISO whose primary job is to protect information capital
so that compliance, financial, and reputation risk can be minimized.

Build a sustainable security ecosystem

Obviously, several issues have arisen from the reliance on a
traditional approach to security. Many enterprises now have a
patchwork of processes and technologies that simply dont work
well together.
Maybe its time to rethink security in a broader context and to
bring everyone in your enterprise togetheracross silos and
functional rolesso that you can protect what really matters: the
information capital running through all your business processes.
The challenge is to create an integrated ecosystem that is fully
prepared to anticipate and prevent threats, wherever and
whenever they affect your enterprise.
You need to think about:
Managing risk in the era of consumerization of IT, mobile
computing, cloud adoption, cyber threats, and the spread of
social media technologies
Protecting against increasingly sophisticated threats
Improving detection of and reaction time to security incidents
Reducing administration costs and efficiently spending
security dollars
Achieving compliance in a predictable and cost-effective way
HP addresses the above tasks by first establishing a framework
to link information security management and governance with the
operations and technology required to achieve end-to-end security.
The HP Enterprise Security Solutions framework comprises three
major elements:
1. Information security management
2. Security operations
3. Discrete security capabilities for data center, network,
application, and endpoint security

People, processes, and technology

In developing an effective strategy for enterprise security, it is
important to understand that, along with the technology component,
people and processes come into play as well. By combining the three
elements of people, process, and technology you are able not only
to build a cohesive and integrated solution, but also to mitigate
compliance risks and manage compliance requirements, whether
they are regulatory, commercial, or organizational. The resulting
solution is fit for the purpose as well as cost-effective.
Best-in-class technologywhen integrated carefully with your
people and processesbecomes the foundation for sustainable,
end-to-end enterprise security. But it is crucial that the security
solutions you deploy are fully integrated. It is equally essential that
you have a centralized, single view of security across your entire
infrastructurefrom endpoint to endpoint, and everything in between.

HP Enterprise Security Solutions framework

Information security management

Security operations

Data center
security

Network
security

Application
security

Endpoint
security

Start the journey to end-to-end security

Address the critical security priorities

With a solid framework and layered system of defense, your

enterprise can begin to assess, transform, manage, and optimize its
security investments in the context of the rapidly changing nature
of threats. At HP, we can deliver enterprise security intelligence
and risk management in a model that suits your unique needs. Our
global reach gives us the breadth and depth to manage your entire
technology environment.

The challenge is to create a strategy that applies this fourfold

approach to the areas of your business that need to be secured today:
data and information, application, identity, endpoint, and network.

Protect your data and information

We understand all too well that traditional approaches to security

are often fragmented and impose constraints on users. Our
approach is fourfold:

Protecting your mission-critical data and information is essential,

especially in light of government risk and compliance. But managing
the risk associated with your technology-enabled services requires
a new focus on your business processes. The challenge is to
protect your enterprises reputation while managing risk and
maintaining compliance.

1. Assess
Assess your risk tolerance profile, compliance requirements,
operational requirements, organizational capabilities,
and resources

This approach addresses the people, processes, and technologies

required to oversee compliance mandates, internal security policies,
and vendor service levels.

2. Transform
Transform your organizations approach to security from
managing it in silos to taking a holistic view
3. Manage
Manage the associated security transformation programs
required to deliver security in the most effective way, adopting
best-of-breed security technologies and flexible sourcing models
4. Optimize
Optimize by continually monitoring the environment to proactively
recommend operational and process improvements and initiatives
that will deliver an enhanced security and risk posture

Cyber attacks have become common occurrences.

The companies in our study experienced a 72 percent
increase in discernible and successful cyber attacks per
week, which represents a 44 percent increase in successful
attacks over the number experienced by organizations in
last years study.
Ponemon Institute, LLC, Second Annual Cost of Cyber
Crime Study, August 2011

The past several years have been witness to an

unparalleled and astonishingly rapid development in
the world of cyber crimethe emergence of a brand
new underground ecosystem brought on by vast
improvements in malicious software.

How can your enterprise gain?

By securing your applications before they are in use, you can:

HP DVLabs, Secure Your Network: 2010 Full Year

Top Cyber Security Risks Report, March 2011

Enable business agility via faster time to market for

secure applications

Reduce cost of application vulnerability identification

and remediation
Reduce risk by securing applications and the data they use
and store

Implement a strong identity and access

management practice
Ask yourself:
What is our security governance plan of record?
How can we prioritize security-related investments based on
business risk measures?
How can we control spend and stay current with compliance
and industry regulations?
How does your enterprise gain?
With an effective plan for securing essential business information,
you can:

Without a doubt, identity breaches are expensive and dangerous

for any enterprise. To protect against breaches, your enterprise
needs to combine governance and best practices with careful
technical execution.
The goal is to prevent intrusions, identity breach, and data loss
and the way to accomplish that goal is to standardize and automate
identity and access, as well as provision users.

Reduce risk through a holistic approach to governance, risk, and

compliance that is aligned with business-process criticality

Your enterprise needs to establish and rely upon a thorough and

mature approach to enterprise identity and access management.
Look for a vendor who can help you assure IAM project success,
blending governance and best practices with technical execution.

Reduce cost via cross-business-process rationalization

Ask yourself:

Secure applications

How do I reduce the costs of managing identities and access?

Approximately 50 percent of the breaches that cause material

damage are application breaches. Application security needs
to be built into your application lifecycle management process.
Applications need to have security integrated within them, not
added on or handled externally to the application.

How can I assure protected access from inside and outside

the firewall?

You need to secure all the software that is a part of your business
processwhether it is software you build, outsource, use from open
source, or purchase. It is essential to identify risks in production
software, provide secure application lifecycle methodologies
for new application development, and enable rapid and costeffective remediation.
Ask yourself:
How can I reduce security liability for licensed, cloud, and
in-house apps?
How can I start to build security into the early phase of
software development?
How can I control the use of non-approved apps and downloads?

How can I analyze and report on user activity?

How can your enterprise gain?
By establishing solid protection against identity and access
breaches, you can:
Reduce risk associated with nefarious intrusions, identity breach,
and data loss
Reduce cost of adding/deleting users, handling password resets,
and changing access privileges

Secure mobile and nonmobile endpoints

Your workforce is increasingly mobile, and that means data security
and risk management must be smarter and move with a mobile
generation. To reduce risk, you need to protect all endpoints.
And at the same time, you must centralize and consolidate the
management of all devices connected to the networkwhether
mobile or desktop.
Todays challenge is to deploy and manage security both within and
outside the firewall. This includes mobility, printer fleets, and all
other endpoints.

HP Enterprise Security Solutions framework

Information security management
Policy and
risk

Compliance and
audit

Security
performance
management

Security
supplier
management

Threat and
risk
management

Security
architecture

Training and
awareness

Incident
management

Security change
control

Security operations
Risk assessment
and mitigation

Accreditation
and acceptance
testing

Identity and
access
management

Monitoring and
alerting

Security
information and
event
management

Data center
security

Network
security

Application
security

Endpoint
security

Data and content security

Securing data in motion

Securing data in use

Securing data at rest

Business recovery and

continuity services

Intrusion prevention

Application delivery

Mobile security

Data center security

Network security

Application security

Asset, endpoint security

Ask yourself:
How can I secure all of our endpoints without causing enormous
constraints on the business units?
How can I ensure secure printing both inside and outside
the firewall?
How do I mitigate risk due to an increasingly mobile workforce and
device sprawlsmartphones, tablets, non-supported devices?
How can your enterprise gain?
With an effective strategy for securing mobile devices and users,
you can:
Reduce risk by securing all endpoints, regardless of location
Reduce cost via central management and tool consolidation
Enable business agility through securing the mobile workforce

Make your network security smarter

To secure the network in todays world, your strategy must
ensure 24x7 global availability of applications while guarding
from intrusion. This is no small task. It requires consistent firewall
security as well as automated and centralized enforcement of all
access to the network.
Look for a vendor who can deliver industry-leading networking
security solutions through the combination of advanced intrusion
prevention systems (IPS), a full suite of firewall solutions, as well
as security for virtual and cloud environments.
Ask yourself:
How can we protect the network in the face of increasing mobility
and IT consumerization and ensure application availability?
How can we defend the infrastructure from attacks given the
torrent of new cyber threats?

How can your enterprise gain?

By improving network security, you can:
Reduce risk of network intrusions and ensure application
availability with zero-day protection and industry-leading
security research
Reduce cost of firewall security with options to match business
needs and form factors (blades and appliances) that scale as
demanded by the business

Rethink your security strategy

HP Enterprise Security Solutions can help solve the risks associated
with the runaway pace of security issues. Our security methodology
developed over many years of practical experience in identity,
network, application, and endpoint securityhelps shape the
enterprise defense system in a way that supports business/
government objectives.

HP Enterprise Security Solutions

HP secures your entire IT infrastructure by addressing all aspects of
securitypeople, processes, technology, and content. We protect
your assets and resources while helping you comply with todays
regulatory environment.

Worldwide mobile device sales to end users totaled

1.6 billion units in 2010, a 31.8 percent increase from
2009. Smartphone sales to end-users were up
72.1 percent and accounted for 19 percent of total
mobile communications device sales in 2010.
Gartner Inc., press release, Egham, UK, February 9, 2011

Security breachesby the numbers

30%
market cap
reduction
as a result
of recent events

44%

of all data
breaches involve
third-party
mistakes

The HP Enterprise Security portfolio is built on HPs rich portfolio

of products and services. Our approach is to carefully align security
to ever-changing business and government demands in a way that
secures assets, resources, and information to manage risk and
protect innovation.

Proven capabilities, proven results

HP employs more than 3,000 security and privacy professionals and
holds more than 600 security patents. Worldwide, our Enterprise
Security Solutions:
Discover more than four times as many critical application
vulnerabilities as other solutions in the market combined
Prevent 550 million junk mail and 1.7 billion spam messages
from reaching users monthly

$6.75M
average cost
associated
with
data breach

Detect and quarantine 45 million instances of malware annually

Secure more than 1 million applications and 2 billion lines of code
for clients
Collect, store, and process 3.5 billion events daily
Support more than 3.8 million smartcards, 1.3 million
tokens, 34 certificate authorities, and 54 million usernames
and passwords

Find out more

For more information about designing a layered system of defense
for your enterprise, please visit: hp.com/go/enterprisesecurity

Get connected
hp.com/go/getconnected

Share with colleagues

Get the insider view on tech trends,

support alerts, and HP solutions.
Copyright 2011, 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and
services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors
or omissions contained herein.
4AA3-6821ENW, Created September 2011; Updated May 2012, Rev.1