Securing Your ESISteven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud Essentials Principal, nControl, LLC Adjunct Professor President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)
Securing Your ESI• Presentation Overview – WI3FM….? – ESI Overview – Security Overview – Security Tips & Tricks
Securing Your ESI• WI3FM – What is in it for me? – Why should I care?
Securing Your ESI• Data Breaches & Security Incidents – Average Cost: $7.2 million – http://www.networkworld.com/news/2011/030811- ponemon-data-breach.html – Leading Cause: Negligence, 41%; Hacks, 31% – http://www.networkworld.com/news/2011/030811- ponemon-data-breach.html – Responsible Party: Vendors, 39% – http://www.theiia.org/chapters/index.cfm/view.news_detail/ cid/197/newsid/13809 – Increased Frequency: 2010-2011, 58% – http://www.out-law.com/en/articles/2011/october/personal- data-breaches-on-the-increase-in-private-sector-reports-ico/
Securing Your ESI• ESI Overview – Electronically Stored Information (ESI) • Defined for the federal rules of civil procedure (FRCP): – Information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software. » http://www.law.northwestern.edu/journals/njtip/v4/n2/3/ • Structured ESI – Stored in database or content management systems. » Examples: Claims, Brokerage / e-Commerce Transactions • Unstructured ESI – Free-form information stored in a manner that is difficult to search within. » Examples: Tweets, Web Site Content, Word Document Content
Securing Your ESI• Security Overview – CIA Triad • Confidentiality – Categorization / Classification – Privacy – Least Privilege – AAA: Authentication, Authorization and Accounting • Integrity – Nonrepudiation – Segregation / Separation of Duties • Availability – Business Continuity (BC) / Disaster Recovery (DR) – Defense-in-Depth
Securing Your ESI• Vendor Selection – Service-Level Agreements (SLAs) • Temporal Service Contract – Term – Metrics – Definitions – Cause for X (e.g. Termination / Exit Clause) – Certifications / Attestations • SAS 70 Type II / SSAE 16 (SOC 1 / 2 / 3) / ISAE 3402 • ISO 27001 / 2, 27036, 15489 • BITS Shared Assessments • PCI DSS • HIPAA / HITECH
Securing Your ESI• Vendor Selection – Incident Response • Computer Security Incident Response Team (CSIRT) – Digital Forensics • Legal Hold / Litigation Response / e-Discovery – Electronic Discovery Reference Model (EDRM) – FRCP 30(b)(6) – Right to Audit • Use your internal vendor assessment team or a mutually agreed upon third party.
Securing Your ESI• Mobile Device Security Guidance – Devices • Not all devices are the same. • Balancing Act (Draconian versus Cow-folk) – People lose stuff all the time. • Who owns the device? – Bring Your Own Device (BYOD) = consumerization of IT • Is device content discoverable? • Vicarious Liability – Driving & Texting / Talking – Mobile Device User Acceptance Policy – Applications / Data • Not all applications are the same. • Segment Work & Play – Sandboxing / Data-boxing – Mobile Facebook App Pulls / Pushes Data to Address Book
Securing Your ESI• Physical Media Security Guidance – Laptops / Tablets • They should be password-protected / encrypted. • Wipe / degauss hard disk drive (HDD) before shredding. • Receive a certificate / bill of laden for shredding. – Thumb Drives / External Hard Drives • They should be password-protected / encrypted. • Wipe / degauss before shredding. • Receive a certificate / bill of laden for shredding. – Backup Tapes • They should be in your records retention schedule (RRS). • Information Lifecycle • They should be password-protected / encrypted. • Wipe / degauss before shredding. • Receive a certificate / bill of laden for shredding.
Securing Your ESI• Big Data Security Guidance – Information Management • Generally Accepted Recordkeeping Principles (GARP®) • Information Governance Reference Model (IGRM) • Information Lifecycle Management (ILM) • MIKE2.0 • ISO 23081 (Records Metadata) – Known Black Ice • Log Files • Web Metadata • Non-Relational, Distributed Databases (NRDBMS, e.g. NoSQL) • Data Backups (Tapes, Cloud Object Storage) • Social Media
Securing Your ESI• Social Media Security Guidance – Sites • Manage (Strategy, Policy, Access, Auditing, e-Discovery) • Strong Passwords • Change / Configuration Management – Provisioning / De-provisioning • Haters (Competitors, Former Employees / Customers) • Wash & Repeat • Mobile Apps for Approved Personnel? – Applications • Immature • Insecure • Discoverable?
Securing Your ESI• Security Tips & Tricks – Governance, Risk & Compliance (GRC) – Encryption / Hashing – Authentication, Authorization & Accounting (AAA) – Change / Configuration Management – Incident Response / e-Discovery / DR Testing – Physical Access – End User Training
Securing Your ESI• GRC – Documented controls and safeguards. • Potential audit findings and remediation actions. – Enterprise view of compliance. • Potential functional / system / application view as well. – Establish standards, best practices and guidance. • Make users, vendors and partners aware of these.
Securing Your ESI• Encryption / Hashing – Data at Rest (DAR) • Object (File, Table, Record, Column), Volume or Block – Data in Motion (DIM) • ‘Across the Wire’, Data-com Link – Data in Use (DIU) • Object (File, Table, Record, Column), Volume or Block
Securing Your ESI• Encryption / Hashing – Nuances • Encryption wraps a layer of protection around your information. – Public Key Infrastructure (PKI): VPN, TLS / SSL, S / MIME, WPA • Hashing re-arranges the bits per the program. – Database Hashing: HMAC SHA 1 / 2 / 3, MD5 – Key Management • If you lose the encryption key then your data is lost. – Try telling Legal, a judge or an attorney that!
Securing Your ESI• AAA – Authentication • Validating who the user is claiming to be. – Authorization • Allocating the lowest privilege for the user. – Accounting • Tracking the user’s actions.
Securing Your ESI• Identity & Access Management (IAM) – Single Sign-on (SSO) • Allows User to Gain Access to Multiple Systems / Apps – Negates password fatigue. • Implementations – Externally » One-time Password (OTP) / Tokenization » Federated Identity / Tokenization » Smart Card / Two Factor Authentication (2FA) » Remote Access Dial-In User Service (RADIUS) – Internally » Kerberos » Lightweight Directory Access Protocol (LDAP)
Securing Your ESI• IAM Technologies – Federated Identity • OpenID • OAuth • Security Assertion Markup Language (SAML) • Web Services – Trust Language (WS-Trust) • Representational State Transfer (REST) • Active Directory Federation Services (ADFS) – Microsoft Federation Gateway (MFG)
Securing Your ESI
Securing Your ESI• Password Tips & Tricks – Use a password. – Create a strong password / PIN. • Alphanumeric with at least one uppercase letter, one lower-case letter, one number & one special character. • No dictionary words, SSNs, kids, pets, DOBs or address. • No usernames. • Use different passwords for different accounts. – Protect it. • Use a password book if necessary. – Change it. • Semi-annually
Securing Your ESI• Change / Configuration Management – Process • Cost, GRC & Quality are huge drivers for: – Software Development Lifecycle (SDLC) – Project Management Office (PMO), Project Portfolio Mgmt (PPM) – Lean / Six Sigma, ISO 9000, CMMi – Provisioning / De-provisioning • On-loading / Off-loading – Profit Centers / Business Units / Functions – Data – Applications – Vendors / Partners – Customers • Periodic Reviews of Processes & Accounts
Securing Your ESI• Incident Response / e-Discovery / DR Testing – Practice makes perfect. • Wash & Repeat – Crawl Walk Run • Crawl: Internal Tabletop Testing • Walk: Internal Exercise, “cause you have nothing better to do on a Saturday”. • Run: Incorporate Vendors, Partners & Customers
Securing Your ESI• End-user Training – New-hires • Especially for milennials (IT consumerization). – Quarterly Computer-based Training (CBT) • For heavily regulated industries. – Annual On-site Training • Be liberal with the swag. – Pilot new marketing campaigns (logo, tag, brand). – Educate Your Ecosystem
Securing Your ESI• Take-aways – Educate Your Ecosystem – Healthy Dose of Skepticism – Embrace Change Pragmatically – Secured Technology is an Enabler – Privacy is Important Too