Perpetual Information SecurityDriving Data Protection in an Evolving Compliance Landscape<br />Trisha Paine<br />
Market Trends, Threat Drivers<br />Cyber Crime<br /><br />Cloud Computing<br />Identity Theft<br /><br />Virtualization<...
Lesson #1: Develop an Overreaching Security Business Model <br />Source: Information Systems Audit and Control Association...
Lesson #2: Know Where Sensitive Data is Located<br />
Lesson #3: Map Regulations and Find Overlaps<br />
Lesson #3: Map Regulations and Find Overlaps<br />
Lesson #4: Look Forward to How Security Needs are Evolving<br />Data Protection Now<br />Data Protection Then<br /><ul><li...
 Data-centric protection—intelligence to protect the data itself throughout its lifecycle
 Granular, selective protection over subset of unstructured or structured data (files, fields, and columns)
 All-or-nothing encryption
 Granular data protection for authorized users, assure compartmentalization
 Keep bad guys out, authorized users get full access
  Centrally managed solution that addresses business, compliance, data governance & security
 Multiple products to meet business and security needs
Upcoming SlideShare
Loading in …5
×

Perpetual Information Security - Driving Data Protection in an Evolving Compliance Landscape

744 views

Published on

Market forces, such as compliance, globalization, outsourcing, SaaS, and cloud computing, have driven greater proliferation of data, information exchange, and access to data by “outsiders.” As this happens, the threats continue to mount, as more people inside and outside of the organization need access to data.With the loss of a traditional physical perimeter, a data-centric approach will protect each information item using a cryptographic perimeter that encases the data. Utilizing encryption as the data protection method enables a high-level of trust in allowing more free exchange of information – no need to worry about any type of data loss with each item being individually isolated. The key is central control – one place that has all the controls for all the data in every type of environment. For true life-cycle management and the control needed to “secure” the data, a consolidate location for control and management is key.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
744
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Market forces, such as compliance, globalization, outsourcing, SaaS, and cloud computing, have driven greater proliferation of data, information exchange, and access to data by “outsiders.” As this happens, the threats continue to mount, as more people inside and outside of the organization need access to data.More questions and concerns are introduced:The traditional boundaries of an enterprise have disappeared as data is hosted, outsourced, managed, or accessed by partners, third-party vendors, and a mobile workforceHow do you protect your information assets without restricting business processes?The outsider has become the insider, and even “authorized” users need secure access control. There is no clear delineation between bad guys and good guys.
  • Multiple and Varying compliance mandates
  • Data Centric Protection:Unified Compliance Framework
  • With the introduction of PCI version 2.0, it is a great opportunity for us to reassess our environment and see how we can develop a holistic approach to protect sensitive information within our organization, beyond cardholder data. This new mandate is an example of how the market is changing… Data Protection 1.0 technologies are no longer adequate for today’s enterprise organization.1.0 is where many organizations are at today, this is where many companies are stuck. 2.0 is where the data protection market is headed.Let’s take a look at each one of these…(go through each row)SafeNet’s Approach: Data-centric Protection What&apos;s ChangingData-conscious vs. perimeter/network-centric Proactive protection vs. passive protection Why Is It HappeningData was born to be free. Passive protection techniques of trying to constrain data movement based on ‘source/destination’ or ‘all or nothing’ protection are not enough anymoreWhat To DoData-conscious security infrastructure, providing persistent data protection as data is created, used, stored, movedWhat You GainProactive data protection: Protect once, comply manyProtected infrastructureWhat To Look AtScalable and extensible infrastructure with integrated policy, key and ID management platform
  • Data Centric Protection – Total TrustWith the loss of a traditional physical perimeter, a data-centric approach will protect each information item using a cryptographic perimeter that encases the data. Utilizing encryption as the data protection method enables a high-level of trust in allowing more free exchange of information – no need to worry about any type of data loss with each item being individually isolated. The key is central control – one place that has all the controls for all the data in every type of environment. For true life-cycle management and the control needed to “secure” the data, a consolidate location for control and management is key.The Solution – Data-centric Protection – Total TrustAssured user authentication (separate access from the data)Access control over the Data (application fields, files, etc.)Once and forever protection of the Data (cryptographic controls)Enable easy sharing with trusted parties (transparent technology)
  • Approaches to Data Centric SecurityMany customers will use one or more approaches to protecting their data
  • Key Management Solution:What’s the cost of unmanageable key management?
  • &quot;Key management is one of those &apos;gotcha&apos; categories,&quot; says Jon Oltsik, analyst at Enterprise Strategy Group (ESG). &quot;Encryption gets cheaper, you encrypt more stuff and key management becomes more important.&quot;Key Management Solution: Reducing Enterprise Key Management ComplexityWith so many different data types and devices to manage, it is no wonder why organizations are baffled when it comes to key managementOne system that Generates, Backups, Activates, Deactivates, Rotates, Guards against Compromise, DestroysProviding Secure, Centralized Key ManagementWith Data-centric Policy ManagementAlong with Identity &amp; Access Management Resulting in Control and Visibility via Logging, Auditing, Reporting
  • Benefits of Lifecycle Key ManagementReduce Admin Cost: reduce IT staff b/c there are not as many systems to manager. Or you can move resources on to the next project b/c there are less key managers controlling the multiple security points throughout the enterpriseEase of Proof of Compliance: one system to prepare for the audit means you can be more thorough and will expedite your auditing preparatory time. It also makes it simpler for your QSA to go in and access your files by looking to a reduced amount of key managers all with similar log files for data and reporting.
  • We believe one of the best things a top security officer can have is the flexibility to adapt to new situations without having to go to great efforts to acquire more technology. If they have a solid base that eases management, administration, and proof of compliance then they are well on their way to achieving compliance every time.
  • Perpetual Information Security - Driving Data Protection in an Evolving Compliance Landscape

    1. 1. Perpetual Information SecurityDriving Data Protection in an Evolving Compliance Landscape<br />Trisha Paine<br />
    2. 2. Market Trends, Threat Drivers<br />Cyber Crime<br /><br />Cloud Computing<br />Identity Theft<br /><br />Virtualization<br />Data Loss, Theft<br /><br />Mobile workforce removable media<br />The Outsider becomes The Insider<br /><br />THREAT DRIVERS<br />Compliance<br /><br />Loss of critical IP<br />Penalties and Fines<br /><br />Breach Notification Laws<br />Compliance and regulations<br /><br />Outside Breaches<br /><br />MARKET FORCES<br />
    3. 3. Lesson #1: Develop an Overreaching Security Business Model <br />Source: Information Systems Audit and Control Association (ISACA)<br />
    4. 4. Lesson #2: Know Where Sensitive Data is Located<br />
    5. 5. Lesson #3: Map Regulations and Find Overlaps<br />
    6. 6. Lesson #3: Map Regulations and Find Overlaps<br />
    7. 7. Lesson #4: Look Forward to How Security Needs are Evolving<br />Data Protection Now<br />Data Protection Then<br /><ul><li> Perimeter focused security
    8. 8. Data-centric protection—intelligence to protect the data itself throughout its lifecycle
    9. 9. Granular, selective protection over subset of unstructured or structured data (files, fields, and columns)
    10. 10. All-or-nothing encryption
    11. 11. Granular data protection for authorized users, assure compartmentalization
    12. 12. Keep bad guys out, authorized users get full access
    13. 13. Centrally managed solution that addresses business, compliance, data governance & security
    14. 14. Multiple products to meet business and security needs
    15. 15. High level or very specific policy only,
    16. 16. No proper central policy management
    17. 17. Centralized policy and key management providing data use tracking and control</li></li></ul><li>Lesson #4: Look Forward to How Security Needs are Evolving<br />Web 2.0 Application<br />Cloud<br />Services<br />Laptop<br />SaaS Cloud<br />Internet<br />WAN<br />Branch Office<br />Mobile<br />Extranet<br />Data Center<br />Flash-drive<br />Media<br /> Forever Protection<br />Ubiquitous Controls<br /><ul><li>Each Data-use is Tracked
    18. 18. Granular Access Controls
    19. 19. Assured User Authentication
    20. 20. Mobile Data LOCKED!
    21. 21. Cryptographic Perimeter
    22. 22. Application & DB Data
    23. 23. File-based Endpoints
    24. 24. Removable Media contained</li></ul>Remote Replication<br />
    25. 25. Lesson #4: Look Forward to How Security Needs are Evolving<br />
    26. 26. Lesson #5: Tackle Requirement 3 and Reduce the Key Management Scope<br />Source: Oasis<br />
    27. 27. Lesson #5: Tackle Requirement 3 and Reduce the Key Management Scope<br />What’s the cost of unmanageable key management?<br />Planning time:<br />Some organizations spent up to a year planning for key management issues including breaches and notifications*<br />Audit prep time<br />Demonstrate which apps and networks are using the keys and where in the world they are <br />Data Loss:<br />Up to 39 percent of organizations who have experienced key loss also lose data permanently or disrupt business operations.<br />Maintenance costs:<br />Disparate systems means no economy of scale for maintenance costs. Each encryption system and key management solution could have 15-20% annual maintenance fees.<br />* Source: TrustCatalyst <br />
    28. 28. Lesson #5: Tackle Requirement 3 and Reduce the Key Management Scope<br />
    29. 29. Lesson #5: Tackle Requirement 3 and Reduce the Key Management ScopeBenefits of Lifecycle Key Management<br />
    30. 30. Summary: Evaluate Every OptionAdaptable, Flexible, Manageable…<br />Consider an unified platform with the choices to adopt the method that’s right for you to achieve compliance.<br />Benefits:<br /><ul><li>Flexibility to evolve
    31. 31. Ease proof of compliance
    32. 32. Streamline administration and enforcement of protection policies
    33. 33. Strong lifecycle key management</li></ul>Tokenization <br />Application<br />Protection<br />Application andWeb Servers<br />Database <br />Security<br />Intellectual<br />Property<br />Protection<br />Databases<br />File Servers<br />Mainframes<br />Laptop<br />Legacy<br />Protection<br />Endpoints<br />Hardened Appliance<br />SCALABLE FOR GROWTH<br />0000 000 00<br />

    ×