《Wavestone：2024年網絡可持續性報告：網絡如何助力可持續發展（英文版）（27頁）.pdf.pdf》由會員分享，可在線閱讀，更多相關《Wavestone：2024年網絡可持續性報告：網絡如何助力可持續發展（英文版）（27頁）.pdf.pdf（27頁珍藏版）》請在三個皮匠報告上搜索。

1、Analysis of cyber impacts and suggested actionsJanuary 2024SustainabilityHow can cyber do its part of the job?Why does cyber matter for sustainability?Cyber Sustainability-20242 WavestoneCyber represents a significant proportion of information systems(+/-5%of the IT budget*)and is growing rapidly to

2、 face new threats.Cybersecurity controls have a major impact on the way information systems are designed and operated,hence their strategic importance for overall carbon footprint.Wavestone and the Campus Cyber developed a methodology to measure the impact of cyber and identify actions that need to

3、be taken to reduce carbon emissions with no compromise to risk.This study is an exploratory methodological framework,unique in its approach,which aims to be adopted by the stakeholders and enhanced in the years to come.*According to Wavestones benchmark on 100+organizations across all sectors,5.3%of

4、 the IT budget is spent on cybersecurity on average.3 WavestoneMethodology:focusing on GHG emissionsTo assess the impact of cybersecurity,we focused first on hich are the consequences of a security control.Impacts on biodiversity,natural resources depletion,water/air/soil pollution,etc.are not in sc

5、ope of this study because they are often correlated with emissions(as long as lifespan of IT equipment is maximized)and indicators to measure them are less matureIn scope:PCs,servers and appliances:manufacturing and utilizationData centers support infrastructure utilizationExternal services,includin

6、g a share of the CloudBusiness travel:train and planeServers and workstations location have been taken into account with a location-based approach.Out of scope:Data centers:constructionNetwork infrastructure and offices:construction and utilizationCybersecurity teams commuting&business travel by car

7、 Study scopeFor cybersecurity values:Wavestone information system dataWavestone client information system dataFor emissions factors:ADEME*Base EmpreinteBoaviztaDedicated hardware manufacturers dataCarbon Disclosure Projects Cloud dataWavestone studies dataThe list of emission factors is in the appen

8、dix.*ADEME:French Agency for Ecological TransitionSourcesCyber Sustainability-20241.What are the most emissive security controls?Methodology&findings Cyber Sustainability-2024The 50 most emitting controls were selected if the answer was positive to one or more of the following questions(based on the

9、 ADEME/Arcep*breakdown of the carbon footprint of the digital world):1.Does it require a significant number of endpoints?2.Does it require a significant number of servers and computing power?3.Does it require a large amount of network equipment and bandwidth?Security controls(based on the NIST frame

10、work)Shortlistedcontrols70050Starting from 700 security controls of NIST Cybersecurity framework international standards,we identified the 50 most emitting controls5*The digital environmental footprint in France,ADEME/Arcep,2022Qualitative filtering WavestoneCyber Sustainability-2024 These results h

11、ave to be calculated for each company These initial results enable us to identify the first paths of actionAmong the 50 shortlisted controls,the TOP 10 most emitting controls was selected based on the calculation of the emissions using:-Real-life data from Wavestone and its clients figures(including

12、 data centers locations)-Emission factors from the ADEME*,Boavizta*,manufacturer data,etc.10Security controls(based on the NIST framework)Most CO2-emitting controlsShortlistedcontrols70050Quantitative filteringQualitative filteringBrainstorming&impact calculationBased on these 50 shortlisted securit

13、y controls,we identified the TOP 10 most emitting controls6*ADEME:French Agency for Ecological Transition*Boavizta:Working group on digital footprint WavestoneCyber Sustainability-2024How much do the emissions of the 50 shortlisted security controls represent against IT emissions?Cybersecurity green

14、house gases emissions resulting from the 50 shortlisted security controls as measured in our organizations As this is a view by technical asset,it excludes consulting and travel.An estimated 5%to 17%of IT emissions*,(but 5%of the IT budget)The greenhouse gases emissions of the 50 shortlisted securit

15、y controls were calculated to estimate theoverall impact of cybersecurity.Wavestone7Endpoints requestedfor cybersecurity(17%)Cybersecurity networkequipment(1%)Allocation of servers to cybersecurity purposes(82%)*Redundant servers and contractor workstations are not taken into account because they ar

16、e not included in the scope of cybersecurity budget.Cyber Sustainability-2024Cyber Sustainability-2024What did we learn?Debunking cybersecurity emissions mythsEndpoints(13%)Contractor workstations Administrator workstations and VDIsResilience(36%)Redundancy capabilities in different regionsBackup se

17、rversBackup PCsIAM(10%)Authentication Vaults PAMDetect(11%)Log generation Log collection and storage Log analysis Wavestone8but not the one we thoughtIt emits less than we may thinkIt emits more than we may thinkResilience capabilities36%of cybersecurity emissionsContractor workstations9%of cybersec

18、urity emissionsCyber threat intelligence2%of cybersecurity emissionsEncryption 1%of cybersecurity emissions2 security topics generate 50%of cybersecurity-related emissionsEmissions%by NIST topicGovernance(3%)Cyber staff workstations Cybersecurity awareness TravelVulnerability(9%)Vulnerability scansP

19、entestsAntivirusesPatch managementData(5%)Data in motion and data at rest protection Cryptography Network(5%)Network mapping and segmentation Anti DDoSOther topics(8%)Incident management,risk,etc.Cyber Sustainability-2024PAM&AuthenticationLog Contractor workstations Vulnerability scans,pentest and p

20、atch managementEmail protectionData in motion protectionCybersecurity staffApplication Network policy orchestration-2 4 6 8 10We mapped the 10 most emitting controls according to their risk coverage in our context to assess their level of priority9Risk has been assessed by a vision from Wavestone ex

21、perts,and depends on each organizations contextLowRedundant capabilitiesHighMedium risk coverage,high CO2 impactHigh risk coverage,high CO2 impactMedium risk coverage,low CO2 impactHigh risk coverage,low CO2 impact1344312236 WavestoneCyber Sustainability-202410Security controls(based on the NIST fra

22、mework)Most CO2-emitting controlsShortlistedcontrols70050Quantitative filteringQualitative filteringTo find actions to be implemented:-Brainstorming workshops have been organized with Wavestone experts to list ideas-Actions have been identified to reduce emissions while keeping the same risk level B

23、rainstorming&impact calculationActions to be implemented We identified the TOP 4 actions to optimize the most emitting security controls10 WavestoneCyber Sustainability-2024Optimizing security controls to decrease emissions by 5%to 10%,with a constant level of risk2Consolidating IAM solutions Exampl

24、e:optimize privilege access and password vaults applications by consolidating use-cases on fewer solutions 3Reducing the volume of logsExample:reduce verbosity,storage time and quantity4Providing specific contractors with VDIs instead of dedicated workstationsExample:Only provide a workstation to co

25、ntractors working on critical projects or independent contractors Co-benefits have also been identified such as a reduction of run costs or an infrastructure that is easier to manage.1Optimizing redundancy capabilities and backupsExample:Initiate a redundancy capacity optimization project and reduce

26、 backups retention durationComplexity11 depends on each organization and context.This is an initial estimation that should be investigated further.Example of results1Remaining emissionsReduction potential1134.5%All actions and assumptions are detailed in the appendix.As a%of total initial cyber emis

27、sions Cyber Sustainability-2024 Wavestone2.What actions can we take?A three-step approachINFLUENCE AT SCALE Cyber ecosystem actionsACT NOWIT&Cyber actionsIdeas for reducing cyber emissionsAnd how to act on themMAINTAIN THE APPROACHSustainable security by design Wavestone13Cyber Sustainability-2024Cy

28、ber Sustainability-2024Assess your existing controls emissionsEvaluate the CO2impact ofexisting cyber requirements using this methodologyEstimate the emissions of the security controls that are already implemented to take effective actions to reduce them ACT NOWRaise awareness among staff on sustain

29、ability topicsEnsure data generation is adapted to requirementsEnsure software is adapted requirements and use applications to their full capabilityOptimize the number of devicesAdopt a responsible purchasing policy Implement green IT measures that have no risk impactRun a quick assessment with the

30、in-house Excel questionnaire(duration:1 hour)Run an in-depth assessment with interviews to have precise estimates(duration:15 to 50 days)How to do it?Wavestone14Cyber Sustainability-2024Make sure sustainability is incorporated in run activitiesMAINTAIN THE APPROACHContinuously monitor cybersecurity

31、greenhouse gases emissionsImplement sustainability criteria in day-to-day risk analysis GHG emissionsRisk reductionUpdate the risk analysis method to take greenhouse gases emissions into accountIf a mitigation control matches one of these 2 questions,then its significant and you need to estimate the

32、 impact more precisely using ADEMEs emission factor:1.Is it in one of the TOP 10 most emitting security controls?2.Does it require a significant number of endpoints,or servers and computing power,ornetwork equipment and bandwidth?How to do it?Steer and monitor greenhouse gases emissions to continuou

33、sly reduce the environmental impact,either by doing:1.Continuous assessment with Green IT support:set up indicators on greenhouse gases emissions on the cybersecurity dashboard 2.Spot assessment every 2 yearsHow to do it?Complete the run security dashboard with greenhouse gases emissions indicator15

34、 WavestoneCyber Sustainability-2024Invite the cyber ecosystem to contribute to the transition THINK&ACT AT SCALE Further actions to reduce the impact of cybersecurity require the involvement of other stakeholders of the cyberecosystem.Inviting them to contribute to the transition can unlock signific

35、ant emission reduction opportunities.Normalization organizationsNIST,ISO,etc.Incorporating sustainability in the cyber norms and standardsRegulatorsECB,National Cyber Agencies,etc.Assessing the impact of each cybersecurity requirement to promote the least carbon-intensive regulation optionsSoftware&

36、equipment providersEnsuring the efficiency of solutions and equipment provided,ensuring a sustainable-by-design approach,for example by avoiding planned obsolescence providing offers adapted to smaller needs Academic researchIncentivising academic research to measure the efficiency of existing proto

37、cols(encryption,authentication,etc.)and developing new sustainable cyber solutions16 WavestoneINFLUENCE AT SCALE Cyber ecosystem actionsACT NOWIT&Cyber actionsA long journey for cybersecurity to play its partMAINTAIN THE APPROACHSustainable security by designJoin the Campus Cyber working group to sh

38、are your in-house results and contribute to enhancing the methodologycybersustainabilitycyber4tomorrow.frCyber Sustainability-202418With contributions from:7471 142 802 WavestoneCyber Sustainability-2024APPENDIXAction SheetsOriginal security control:Redundancy capabilities between data centers in di

39、fferent regions and backups are set up.Initiate a redundancy capacity optimization project:do not duplicate everything,review applications confidentiality,ensure that applications decommissioning is done properlyOptimize backups:reduce retention duration,minimize the number of backups,optimize stora

40、ge methodsReduce the number of backup workstationsExample of actions to reduce emissions:Example Reduction potential with the following actions:Reduce redundant data by 3%Decrease backups PCs and backup servers by 5%Actions to reduce emissions:Redundancy&backups Wavestone20Every organization should

41、pick the most relevant actions depending on its context 28,3%27,5%6,7%6,4%0,7%0,7%35,7%34,5%Initial EmissionsRemaining EmissionsResilienceConsultingBackup PCsand serversRedundantserversComplexityAs a%of total initial cyber emissions Cyber Sustainability-2024Original security control:The organization

42、 has an identity lifecycle management solution and an authentication tool to control the identities of the users of the information system.Rationalize technologies and authentication methods Implement authentication methods that do not require dedicated physical equipmentOptimize privilege access an

43、d password vaults applications:consolidate use-cases on fewer solutions to optimize infrastructure and avoid duplication in multiple geographical areasExample of actions to reduce emissions:Example Reduction potential with the following action:Optimize Privilege Access&Password Vaults and related Se

44、rvices and Consulting by 33%Actions to reduce emissions:Identity and access management Wavestone212,8%2,8%2,1%1,4%5,3%4,6%10,2%8,8%Initial EmissionsRemaining EmissionsIAM Services&ConsultingPrivilege Access&PasswordVaultsAuthentication,Access andUser PasswordManagementAs a%of total initial cyber emi

45、ssions Every organization should pick the most relevant actions depending on its context ComplexityCyber Sustainability-2024Actions to reduce emissions:Log management Wavestone22Original security control:Logs are collected,centralized in a SIEM and analyzed to detect security events.Optimize the vol

46、ume of logs collected and stored:reduce verbosity,storage time and quantityUse an MSSP(Managed Security Service Provider)to used shared resources with other companiesExample of actions to reduce emissions:By reducing the verbosity of the logs and avoiding unnecessary logs duplication in different lo

47、cations,we have been able to reduce the volume of logs collected and stored by 56%.Wavestone TestimonyExample Reduction potential with the following actions:Reduce the volume of logs collected and stored by 20%Use an MSSP to optimize by 10%1,8%1,3%7,1%5,1%0,9%0,5%9,8%7,0%Initial EmissionsRemaining E

48、missionsLogManagementServicesLogs analysisand storageLogsgenerationAs a%of total initial cyber emissions Every organization should pick the most relevant actions depending on its context ComplexityCyber Sustainability-2024Original security control:Every contractor must be provided with a dedicated w

49、orkstation.Provide as many contractors as possible with a VDI,rather than a dedicated workstationOnly provide contractors working on critical projects or independent contractors with a workstationExample of actions to reduce emissions:Example Reduction potential with the following action:Provide a V

50、DI to 40%of the contractors,rather than a dedicated workstationActions to reduce emissions:Contractor workstations Wavestone230,8%0,5%8,3%5,6%1,9%9,1%8,0%Initial EmissionsRemaining EmissionsVDIsPCsManufacturingPCs UsageAs a%of total initial cyber emissions Every organization should pick the most rel

51、evant actions depending on its context ComplexityCyber Sustainability-2024Cyber Sustainability-2024APPENDIXGlossary&MethodologyCyber Sustainability-2024CategoryAssumptionDevicesFor each cyber staff,the assumption is that they have one mobile device.Cyber solutionsAs an assumption,6 virtual CPUs on a

52、verage rely on 1 physical CPU.AppliancesDue to a lack of information available for proxies,reverse-proxies,web application firewalls,IPS and IDS,it was assumed that the manufacturing emissions and electricity consumption was the same as for a firewall.DevicesWorkstations,even when they are not used

53、for cybersecurity purposes,still need to generate logs and run antiviruses.Therefore,for all workstations that are not purely used for cybersecurity purposes,an assumption was taken that:0.25%of these workstations are dedicated to log generation.0.75%of these workstations are dedicated to antiviruse

54、s.These are Wavestone internal estimates.Other serversServers,even when they are not used for cybersecurity purposes,still need to generate logs and run antiviruses.Therefore,for all servers that are not purely used for cybersecurity purposes,an assumption was taken that:0.75%of these servers are de

55、dicated to log generation.2.25%of these servers are dedicated to antiviruses.These are Wavestone internal estimates.Methodology:Overarching AssumptionsGlossaryTermDefinitionEmission FactorAn emission factor is a coefficient which allows to convert activity data into greenhouse gases emissions.CO2eqC

56、O2eq is a metric measure used to estimate the emissions from various greenhouse gases converted in carbon dioxide equivalents based on their global warming potential.ADEME(Base Empreinte)ADEME is the French Environment and Energy Management Agency which consolidates emission factors in a database kn

57、own as the Base Empreinte.25 WavestoneCyber Sustainability-2024CategoryNameSourceEmission FactorUnitElectricity mixAll Carbon Intensity of the Electricity Mix per Geographical area(kgCO2eq/kWh)are taken from the ADEME Base EmpreinteADEME Base EmpreinteN/AN/ADevicesLaptop Manufacturing Emissions-All

58、SizesBoavizta 2022,Statistical Study232kgCO2eqDevicesLaptop Energy Consumption-All SizesBoavizta 2022,Statistical Study20kWh/yearDevicesVDI manufacturing emissions linked to the underlying server and networkWavestone calculation based on ADEME data128kgCO2eqDevicesVDI annual electricity consumption

59、linked to the underlying server and networkWavestone calculation based on ADEME data 26.9kWh/yearDevicesLifespan of a VDI underlying server ADEME Base Empreinte5yearsDevicesWorkstations hard drive manufacturing emissionExtrapolated from a Cornell University Study4.74kgCO2eqDevicesAnnual electricity

60、consumption of a monitorManufacturer data44.5kWh/yearDevicesManufacturing emissions of a monitorManufacturer data430.7kgCO2eqDevicesAverage lifetime of a hard driveADEME Base Empreinte5yearsDevicesSmartphone manufacturing emissionsManufacturer data50.16kgCO2eqDevicesSmartphones electricity consumpti

61、on ARCEP Study 20222kWh/yearServersRack manufacturing emissionsADEME Base Empreinte550kgCO2eqServersAverage manufacturing emissions for cyber serversInternal study based on constructor data of known cybersecurity servers1269kgCO2eqServersAverage electricity consumption of cyber serversInternal study

62、 based on constructor data of known cybersecurity servers1556kWh/yearServersAverage manufacturing emissions of backup serversInternal study based on constructor data of known cybersecurity servers2073kgCO2eqServersAverage electricity consumption of backup serversInternal study based on constructor d

63、ata of known cybersecurity servers2013kWh/yearCloudAverage emissions of Cloud services2021 CDP Report75kgCO2eq/kConsultingAverage emissions of digital consulting for Fixed FeeInternal study35.49kgCO2eq/kConsultingAverage emissions of digital consulting for Time and MaterialInternal study4904.37kgCO2

64、eq/FTEAppliancesEmissions linked to manufacturing of a firewallExtrapolated from ADEME Base Empreinte59kgCO2eqAppliancesYearly electricity consumption of a firewallExtrapolated from ADEME Base Empreinte90kWh/yearTravelAverage emissions from air travelADEME Base Empreinte0.187kgCO2eq/kmTravelAverage

65、emissions from rail travelADEME Base Empreinte0.0033kgCO2eq/kmMethodology:Emission Factor Values26Cyber Sustainability-2024CategoryNameAssumption ExplanationServersManufacturing emissions for a rackTo calculate the yearly manufacturing emissions for a rack,the assumption taken for the lifespan of a

66、rack is that it is the same as a server.ServersAverage manufacturing emissions and electricity consumption of serversThe emission factor used for redundant servers is the average of the emission factor taken from the constructor data of known and existing cybersecurity servers.ServersEstimated numbe

67、r of racks by number of serversTo estimate the number of racks,an internal assumption was used that a rack can host 18 servers on average.ConsultingAverage emissions of digital consulting for Fixed Fee and for Time&MaterialTo calculate the average emissions of digital consulting,two different factor

68、s were used depending on the type of project.For Fixed Price engagements,the emission factor per k was used.For Time&Material engagements,the emission factor per FTE was used.Furthermore,the weighted average of emission factors of strategy vs IT&management external services was incorporated in the c

69、alculation,based on the emissions of strategy vs IT&management external services.AppliancesEmissions linked to manufacturing of a firewallThe share of total manufacturing emissions compared to the share of total usage emissions from servers was extrapolated and applied to firewalls.The calculation e

70、mployed ADEMEs emission factor which states that firewalls emit on average 80.7 kgCO2e through their lifetime.TravelAverage emissions from air and rail travel(2018)To calculate the average emissions linked to travel,the assumption was taken that a cyber FTE travels as much as an IT FTE.Methodology:Emission Factor Details27 Wavestone