Making Security Work—Implementing a
Transformational Security Program
Brent Comstock
SCT06S
SECURITY
Group Vice President – Identity, Access and Data Protection Strategy
SunTrust Banks

2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
© 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type
of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation

3 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Abstract
Recent newsworthy data breaches have business and IT leaders asking, “Are we
learning from the mistakes of others?” In an ever-­increasing threat environment,
security leaders face mounting pressures to deliver effective security capabilities that
protect business assets while balancing budgets, security risks and regulatory issues.
SunTrust has started the journey of transforming security capabilities. This session will
explore the driving factors that resulted in SunTrust re-­evaluating its identity, access and
information security program. Furthermore, it will explore the key inputs and building
blocks of what it is looking to establish in its program and people, processes and
technologies that will be required to achieve this vision.
Brent
Comstock
SunTrust Banks
Group VP -­
Identity, Access and
Data Protection
Strategy
The thoughts, views and opinions I express are my own. None of these statements should be considered to represent my employer,
SunTrust Banks, Inc. in any way.

4 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Why I’m Here Today
THE WEATHER OUTSIDE IS FRIGHTFUL…
WE’RE NOT IN KANSAS ANYMORE
BREAK THE MOLD
THE FORK IN THE ROAD
FROM THE INSIDE OUT
1
2
3
4
5

5 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
The Weather Outside is Frightful…

6 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
*2017 Verizon Data Breach Investigations Report
Exploited privileged user
accounts are the common
thread of most data breaches*
“Looking back at the breaches that have happened in the recent past and looking
ahead to GDPR, …. it’s clear that security continues to be critically important.”
Mike Gregoire, Q2 2018 Earnings Conference Call, October 25, 2017

7 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS

8 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS

9 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
The Problem:
There are large numbers of users,
environments and end points to
patch, secure & manage, all with
changing security profiles over
time.
The work load is overwhelming.

10 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
After CA World, You Return Home…
Enlightened…
Energized…
Enthused…
And pretty freaked out!

11 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
We’re Not in Kansas Anymore

12 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
So Where Are We?

13 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Break The Mold

14 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
We protect what’s
important to us.
How we provide that
protection has to
change.

15 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
BREAK THE MOLD

16 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
The Fork in the Road

17 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Level of effort?
Budget?
Time?
• Align with Significant
Company Initiatives
• Establish Security
capabilities quickly
• “Fix” existing platforms
• Upgrade
• Address Process gaps
Can current technology and processes
be adequately improved?

18 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
From the Inside Out

19 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
FORMULA
FOR CHANGE
Discover
&
unlock
WHY
Impact
Leadership
Execute
with
Advocates
Organizational
Culture
Change

20 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
IAM – Focus & Objectives
Creation of Identity credentials, knowledge of high risks assets and associated Access grants & controls are essential to
effective Security in this time of unprecedented threats. IAM and Data Protection capabilities are highly interdependent.
Mitigate enterprise cyber risks and transition to proactive detection of control failures by implementing effective capabilities &
controls for access to company assets:
Focus
Objectives
The top areas of IAM focus include: a) acquire modern identity management capabilities, b) gain visibility
into movement of data and usage of cloud services c) gain insights into users'
behavior d) define roles and responsibilities and e) adhere to regulatory requirements
Ø Simplify, standardize and automate IAM functions across the enterprise
Ø Utilize asset risk scoring to focus on securing highest risk assets first
Ø Invest in people, processes, and technologies to better monitor and detect malicious activity
Ø Define and implement roles and responsibilities for IAM framework execution including increased
Business engagement and accountability
Ø Secure privileged accounts: servers, databases, applications, domains, devices, service accts
Ø Integrate user behaviors associated with access and data movement with all our environments to detect
threats and suspicious behaviors
Ø Enhance capabilities to secure connections & data movement to the cloud and 3rd parties
Discover
&
Unlock
WHY

21 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
IAM & Data Protection Scope
Given the growth of cyber threats, the value of the data and transactions that we protect continues to increase. We must evolve
our IAM practices to include deeper partnership and a “One Team” approach for “Modern IAM” that is much more intelligent,
agile and transparent.
Cloud & Emerging Technologies ‘Modern IAM’ is a foundational tenet to enable the
business to benefit from emerging technologies such as the Cloud and Internet of Things (IOT).
Modern IAM capabilities are faster, more secure and more efficient in transitioning applications
and infrastructure to the cloud.
Asset Type
Applications enable business functions and meet access risk objectives through roles,
entitlements, and permissions. They are managed by traditional IAM solutions and are the
company asset type that have the most mature access controls.
End Users and Devices are at the center of business functions. Ease of use must be
balanced by the necessity to protect company assets. The increased scale from the growing use
of mobile devices stretches traditional IAM practices and capabilities.
Data is stored in a variety of formats and locations, and is growing rapidly. This growth is
compounded by End User compute environments (e.g., file shares, SharePoint) which are not
currently managed and protected using traditional IAM practices and capabilities.
Big Data (i.e. Atlas Data Lake) environments combine data from numerous sources. The
complexity of defining access permissions to voluminous, diverse, and sensitive information
environments is not scalable using currently available IAM access models and technology.
IAM Scope
Impact
Leadership

22 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Why Are Advocates Essential?
§ With limited resources and reach,
you can tap into the energy of passionate
employees. They have knowledge and
insight
§ These employees become the eyes and
ears on the ground and help to drive
change from within their teams
§ This feeling of ownership, responsibility
and influence creates engagement
across the organization
§ By building direct relationships with different
parts of the business, you can find out so much
more through two way communications
§ By keeping our advocates informed of the
latest news and views around security –
you make them smarter and also by proxy –
their teams too!
Security is a team sport…engage the
rest of the team
Execute
With
Advocates

23 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Analytics Enablement
• Facilitate Onboarding & Data Access
• Document & Maintain Role Definition
• Request Data Group Setup
Provisioning
Facilitator
Data Lake Domain
Work Area (Zone 2)
Domain
Role
Security
Group
Data
Asset
Data
Asset
Data
Asset
Domain
Users
Domain Team
Manager
• “Owns” Domain
• Requests New Domain Roles
• Designate Role Champion
• Develop Data Source Access Requirements *
Domain
Owner
Domain Role Owner
• Approve User Access to Role
• Attest to Role and User Access Annually
• Validation of Role Data Source Access Annually
Role
Champion
Source Data Owner(s)
• Approve Role Creation
• Approve Data (not user) Access for Role
Data Access
Owner
Data Management
Manager or Analyst
• Identify & Validate Sensitive Data for Data SourcesData SME
Data Lake Operations
• Configure user on Data Lake
• Configure data access
Data Lake
Setup
Security
Team Tasks
Organizational
Culture
Change
Engage the Team (Example)

24 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
None of us
is as smart
as all of us.
People cannot
help but resist
change.
It’s in our DNA to want to
remain with known
approaches.
Those who resist improved
security aren’t crazy, they’re
human.
Landing the Plane
“People don’t
buy what you
do, they buy
why you do it.”
SIMON SINEK
No one can tell us what
“right” looks like, because of
experience & perspectives.
Your Advocates will help fuel
the cultural change.
Empower them.

25 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Questions?

26 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Stay connected at communities.ca.com
Thank you.

27 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Security
For more information on Security,
please visit: http://cainc.to/CAW17-­Security