• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Perpetual Information Security - Driving Data Protection in an Evolving Compliance Landscape
 

Perpetual Information Security - Driving Data Protection in an Evolving Compliance Landscape

on

  • 624 views

Market forces, such as compliance, globalization, outsourcing, SaaS, and cloud computing, have driven greater proliferation of data, information exchange, and access to data by “outsiders.” As ...

Market forces, such as compliance, globalization, outsourcing, SaaS, and cloud computing, have driven greater proliferation of data, information exchange, and access to data by “outsiders.” As this happens, the threats continue to mount, as more people inside and outside of the organization need access to data.With the loss of a traditional physical perimeter, a data-centric approach will protect each information item using a cryptographic perimeter that encases the data. Utilizing encryption as the data protection method enables a high-level of trust in allowing more free exchange of information – no need to worry about any type of data loss with each item being individually isolated. The key is central control – one place that has all the controls for all the data in every type of environment. For true life-cycle management and the control needed to “secure” the data, a consolidate location for control and management is key.

Statistics

Views

Total Views
624
Views on SlideShare
624
Embed Views
0

Actions

Likes
0
Downloads
7
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Market forces, such as compliance, globalization, outsourcing, SaaS, and cloud computing, have driven greater proliferation of data, information exchange, and access to data by “outsiders.” As this happens, the threats continue to mount, as more people inside and outside of the organization need access to data.More questions and concerns are introduced:The traditional boundaries of an enterprise have disappeared as data is hosted, outsourced, managed, or accessed by partners, third-party vendors, and a mobile workforceHow do you protect your information assets without restricting business processes?The outsider has become the insider, and even “authorized” users need secure access control. There is no clear delineation between bad guys and good guys.
  • Multiple and Varying compliance mandates
  • Data Centric Protection:Unified Compliance Framework
  • With the introduction of PCI version 2.0, it is a great opportunity for us to reassess our environment and see how we can develop a holistic approach to protect sensitive information within our organization, beyond cardholder data. This new mandate is an example of how the market is changing… Data Protection 1.0 technologies are no longer adequate for today’s enterprise organization.1.0 is where many organizations are at today, this is where many companies are stuck. 2.0 is where the data protection market is headed.Let’s take a look at each one of these…(go through each row)SafeNet’s Approach: Data-centric Protection What's ChangingData-conscious vs. perimeter/network-centric Proactive protection vs. passive protection Why Is It HappeningData was born to be free. Passive protection techniques of trying to constrain data movement based on ‘source/destination’ or ‘all or nothing’ protection are not enough anymoreWhat To DoData-conscious security infrastructure, providing persistent data protection as data is created, used, stored, movedWhat You GainProactive data protection: Protect once, comply manyProtected infrastructureWhat To Look AtScalable and extensible infrastructure with integrated policy, key and ID management platform
  • Data Centric Protection – Total TrustWith the loss of a traditional physical perimeter, a data-centric approach will protect each information item using a cryptographic perimeter that encases the data. Utilizing encryption as the data protection method enables a high-level of trust in allowing more free exchange of information – no need to worry about any type of data loss with each item being individually isolated. The key is central control – one place that has all the controls for all the data in every type of environment. For true life-cycle management and the control needed to “secure” the data, a consolidate location for control and management is key.The Solution – Data-centric Protection – Total TrustAssured user authentication (separate access from the data)Access control over the Data (application fields, files, etc.)Once and forever protection of the Data (cryptographic controls)Enable easy sharing with trusted parties (transparent technology)
  • Approaches to Data Centric SecurityMany customers will use one or more approaches to protecting their data
  • Key Management Solution:What’s the cost of unmanageable key management?
  • "Key management is one of those 'gotcha' categories," says Jon Oltsik, analyst at Enterprise Strategy Group (ESG). "Encryption gets cheaper, you encrypt more stuff and key management becomes more important."Key Management Solution: Reducing Enterprise Key Management ComplexityWith so many different data types and devices to manage, it is no wonder why organizations are baffled when it comes to key managementOne system that Generates, Backups, Activates, Deactivates, Rotates, Guards against Compromise, DestroysProviding Secure, Centralized Key ManagementWith Data-centric Policy ManagementAlong with Identity & Access Management Resulting in Control and Visibility via Logging, Auditing, Reporting
  • Benefits of Lifecycle Key ManagementReduce Admin Cost: reduce IT staff b/c there are not as many systems to manager. Or you can move resources on to the next project b/c there are less key managers controlling the multiple security points throughout the enterpriseEase of Proof of Compliance: one system to prepare for the audit means you can be more thorough and will expedite your auditing preparatory time. It also makes it simpler for your QSA to go in and access your files by looking to a reduced amount of key managers all with similar log files for data and reporting.
  • We believe one of the best things a top security officer can have is the flexibility to adapt to new situations without having to go to great efforts to acquire more technology. If they have a solid base that eases management, administration, and proof of compliance then they are well on their way to achieving compliance every time.

Perpetual Information Security - Driving Data Protection in an Evolving Compliance Landscape Perpetual Information Security - Driving Data Protection in an Evolving Compliance Landscape Presentation Transcript

  • Perpetual Information SecurityDriving Data Protection in an Evolving Compliance Landscape
    Trisha Paine
  • Market Trends, Threat Drivers
    Cyber Crime

    Cloud Computing
    Identity Theft

    Virtualization
    Data Loss, Theft

    Mobile workforce removable media
    The Outsider becomes The Insider

    THREAT DRIVERS
    Compliance

    Loss of critical IP
    Penalties and Fines

    Breach Notification Laws
    Compliance and regulations

    Outside Breaches

    MARKET FORCES
  • Lesson #1: Develop an Overreaching Security Business Model
    Source: Information Systems Audit and Control Association (ISACA)
  • Lesson #2: Know Where Sensitive Data is Located
  • Lesson #3: Map Regulations and Find Overlaps
  • Lesson #3: Map Regulations and Find Overlaps
  • Lesson #4: Look Forward to How Security Needs are Evolving
    Data Protection Now
    Data Protection Then
    • Perimeter focused security
    • Data-centric protection—intelligence to protect the data itself throughout its lifecycle
    • Granular, selective protection over subset of unstructured or structured data (files, fields, and columns)
    • All-or-nothing encryption
    • Granular data protection for authorized users, assure compartmentalization
    • Keep bad guys out, authorized users get full access
    • Centrally managed solution that addresses business, compliance, data governance & security
    • Multiple products to meet business and security needs
    • High level or very specific policy only,
    • No proper central policy management
    • Centralized policy and key management providing data use tracking and control
  • Lesson #4: Look Forward to How Security Needs are Evolving
    Web 2.0 Application
    Cloud
    Services
    Laptop
    SaaS Cloud
    Internet
    WAN
    Branch Office
    Mobile
    Extranet
    Data Center
    Flash-drive
    Media
    Forever Protection
    Ubiquitous Controls
    • Each Data-use is Tracked
    • Granular Access Controls
    • Assured User Authentication
    • Mobile Data LOCKED!
    • Cryptographic Perimeter
    • Application & DB Data
    • File-based Endpoints
    • Removable Media contained
    Remote Replication
  • Lesson #4: Look Forward to How Security Needs are Evolving
  • Lesson #5: Tackle Requirement 3 and Reduce the Key Management Scope
    Source: Oasis
  • Lesson #5: Tackle Requirement 3 and Reduce the Key Management Scope
    What’s the cost of unmanageable key management?
    Planning time:
    Some organizations spent up to a year planning for key management issues including breaches and notifications*
    Audit prep time
    Demonstrate which apps and networks are using the keys and where in the world they are
    Data Loss:
    Up to 39 percent of organizations who have experienced key loss also lose data permanently or disrupt business operations.
    Maintenance costs:
    Disparate systems means no economy of scale for maintenance costs. Each encryption system and key management solution could have 15-20% annual maintenance fees.
    * Source: TrustCatalyst
  • Lesson #5: Tackle Requirement 3 and Reduce the Key Management Scope
  • Lesson #5: Tackle Requirement 3 and Reduce the Key Management ScopeBenefits of Lifecycle Key Management
  • Summary: Evaluate Every OptionAdaptable, Flexible, Manageable…
    Consider an unified platform with the choices to adopt the method that’s right for you to achieve compliance.
    Benefits:
    • Flexibility to evolve
    • Ease proof of compliance
    • Streamline administration and enforcement of protection policies
    • Strong lifecycle key management
    Tokenization
    Application
    Protection
    Application andWeb Servers
    Database
    Security
    Intellectual
    Property
    Protection
    Databases
    File Servers
    Mainframes
    Laptop
    Legacy
    Protection
    Endpoints
    Hardened Appliance
    SCALABLE FOR GROWTH
    0000 000 00