SlideShare a Scribd company logo

Wisegate Using IPC Tools to Protect Data

Brent Kettler
Brent Kettler

A wisegateit.com report on using IPC tools to protect data.

Technology
1 of 11
Download to read offline
22
Data-Centric Security 2 CONTENTS Data-Centric Security ..............................................................................................................3   Data Leak Prevention ..............................................................................................................5   Encryption................................................................................................................................7   Strengths of encryption ...........................................................................................................7   Weaknesses of encryption ......................................................................................................8   Approaches to encryption.......................................................................................................8   Homomorphic Encryption ........................................................................................................9   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
Using Information Protection and Control (IPC) Tools to Protect the Data 3 In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from that survey. This current document is the third in a new series of reports designed to look more closely at four specific issues highlighted by that survey. » Metrics and reporting » Malware and data breaches » Data-centric security » Automation and orchestration Data-Centric Security More than 100 CISOs indicated that they considered malware and breaches of sensitive data to be the primary security risks/threats, followed by the malicious outsider. See Figure 1 below specifically, and the Malware and Data Breaches report in general for more details. When subsequently asked to specify which of a series of infrastructure controls they would give top priority during the next 3 to 5 years (see Figure 2), there was a clear preference among the CISOs for what can be described as data-centric controls over physical device controls.
Data-Centric Security 4 Figure 1. Survey Question: What are your top three security risks? Source: Wisegate June 2014 Figure 2. Survey Question: Which of these Infrastructure controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014
Using Information Protection and Control (IPC) Tools to Protect the Data 5 The most popular response to this question was DLP-style controls followed by application firewalls followed by encryption. “When we asked folks about the various types of controls they could install to protect their companies from those top three risks,” explains Bill Burns, lead author of the Assessing IT Security Risks survey, “what we noticed was that given the choice people were strongly preferring things that protect the data itself rather than protecting the device or the network or the host.” There are numerous reasons for this. Firstly, while traditional security products evolved to protect devices and the perimeters of trusted networks, the modern IT infrastructure can no longer be so easily defined. Most specifically, there is no longer a defensible perimeter. This is the effect of remote working on personal devices coupled with an increasing use of the cloud for both data storage and software as a service applications. Secondly, not only is there no specific perimeter to defend, there is also great difficulty in knowing where the data actually resides, or is currently residing. Copies of documents might simultaneously exist on multiple remote laptops or tablets; and the company may not know the geolocation of those devices. Thirdly, there is increasing acceptance that a persistent targeted attack will eventually breach the network. The combination of • Zero-day vulnerabilities (unknown and unpatched) • New or reworked malware (unknown to the anti-virus engines) • Susceptibility of almost anyone to eventually fall for sophisticated spear- phishing, combine to ensure that a determined and well-resourced attacker will inevitably get into the network. Unable to guarantee the integrity of their devices and networks, CISOs are turning towards defending the data itself, using the new category of security controls known as information protection and control (IPC). Broadly speaking (although not exclusively), the protection is provided by encryption technologies while the control is provided by data leak prevention (DLP) technologies. Sometimes both are made available in a single IPC product. Data Leak Prevention Data leak prevention (DLP) is possibly the best known and most popular sub-category of IPC products. “DLP in monitor mode,” explains Burns, “is where the control will detect and alert someone that I have just seen a file containing SSNs leave the protected server and
Data-Centric Security 6 go out onto the internet—or I saw this sensitive data file containing credit card numbers leave someone's laptop.” The focus is no longer on locking down access to the device or application—there is an assumption that data will somehow get out. “The focus is now on where is the data, where is it going, and who is using it—rather than just locking the door and assuming that the lock will be sufficient to keep the bad guys outside and the data inside the house.” DLP was a hot topic a few years ago. “It got cold because it was too complicated,” suggested Burns, “and I think there was a lack of governance. Now I think it is getting hot again because there's more scrutiny from boards of directors, more scrutiny because risk managers are concerned about supply chain risk, and because people say, ‘Well, I may not have control over a server or the desktop—I can't lock it down because it's not mine, it's a third party or a personal device—but if I can get someone, or force someone, to install this DLP control on their device or funnel them on the network through my device, then I can get visibility into sensitive data moving around’.” One of the issues in using DLP is whether to use it in monitor mode or block mode. Monitor mode simply alerts the security team that something is wrong. Block mode prevents any further movement of the sensitive data. The problem with monitor-only mode is that by the time the security team has seen the alert and closed the door, the horse may have already bolted. Despite this, however, many companies keep DLP for reporting purposes only. Burns explains, “When you're monitoring, typically the alerts go to the security team; so they get extra work, but the user doesn't really see any change. When you put DLP into block mode, that's when you start affecting workflows, behaviors and business processes.” The usual sequence is for someone to say, ‘We need to install DLP, we need to track our sensitive data.’ “That gets you the budget,” says Burns, “but then people realize, wow, this is a lot of work to configure, and it’s really noisy. A team that doesn't have the wherewithal or the executive sponsorship may simply stop at reporting.” The original plan was probably to monitor for a while and get the configuration right, and only then when the tuning is good to turn on blocking mode. “But they get stuck in reporting mode. We're never going to get 100% accuracy, so at what point are we comfortable? You get into that never-ending quagmire of when do you leave the monitoring phase.” It takes, he added, “a huge amount of energy and focus and executive sponsorship to switch from monitor mode to block mode, because once you start blocking, then you start affecting the users' behaviors.” The Target breach is a case in point. Its IPC controls (probably not specifically DLP in this instance) provided the alerts, but the process of handling the alerts was not sufficiently
Using Information Protection and Control (IPC) Tools to Protect the Data 7 established. The simple reality is that monitor mode DLP on its own is not an adequate security control. “You would never want to deploy DLP as a sole defense,” says Burns. “You would like to add it to a mix of layered defense to increase the chances of detecting a problem. So for instance, if you had DLP in monitor mode and it says, ‘This credit card database or file is trying to leave your secure enclave and is heading out to another network where it shouldn't be,’ whether it is in monitor or block that should be a sufficient alarm that says, ‘Gosh, I'd better go look into this.’ You basically want to make the attack as noisy as possible. You don't want someone to be able to silently come in and steal your data—you want to put detectors or alerts or monitors in place at a number of checkpoints, including the data itself.” Encryption The weakness of DLP in monitor mode—and indeed many other security controls—is that while they alert the security team to a potential problem, they do not in themselves secure the data. There is, however, one technology that does this with a very high degree of certainty: encryption. The problem is that encryption currently has limited application, and is very difficult to get right. Strengths of encryption » Secures the data. There are encryption algorithms readily available that are generally considered to be unbreakable. Although there are several caveats to this (some algorithms are known to have weaknesses, others have had weaknesses introduced, and the length of the encryption key is critical), a strong algorithm with an adequate key length well implemented will theoretically protect the data forever—wherever it is, and whoever has access to it (provided they don’t also have access to the encryption keys). » Compliance. Data that has been encrypted is generally considered to guarantee regulatory compliance. In some cases, encryption is specifically mandated by the regulations (such as PCI DSS). In other cases it is not specified by the regulations, but endorsed by the regulators (for example, the UK’s data protection regulator has advised that personal data stored in the public cloud will be in compliance with the Data Protection Act provided that it is encrypted; but that it probably is not in compliance if the encryption keys are stored with the same cloud provider). This leads us to the first major weakness in the use of encryption: key management.
Data-Centric Security 8 Weaknesses of encryption » Key management. “The real problem with encryption is key management,” explains Burns: “managing all of the decryption keys and making sure that the right people and only the right people have keys, and that they are renewed when they expire... that’s really hard. It's much harder than managing the encryption.” Encryption works if the implementation is sound and all, but only, the right people have the keys. If the bad people have encrypted data but no keys, they don’t have the data. But if they do have the keys, they also have the data. » Inability to search data. The biggest practical problem in the use of encryption is that it makes it very difficult to perform operations on that data. Even a simple search operation is difficult because the encrypted target bears no relation to the unencrypted search term. Fixed or permanent data that doesn’t need to be processed (such as archived material) can be encrypted and stored; dynamic application data cannot. Approaches to encryption Economic realities are driving companies to the cloud. “The cost of running a server and storing data and operating an application is considerable,” explains Burns: “hence the movement to cloud SaaS applications. So companies are giving away control of their infrastructure; they're turning the capital expense into operating expense and making it consumption-based—which is all good.” But compliance is also driving companies towards encryption. “Now we're trying to figure out, how do I encrypt that data so that someone that I sort of trust, but not completely (the SaaS application administrators) can have access to the system without having access to my data?” The solution is to encrypt the data. “If it is extremely sensitive and valuable to the company, we will encrypt that data and make it completely unusable to the SaaS provider. We will make it hard for even ourselves to use that data because we understand that it is extremely valuable and sensitive. If it's not valuable at all, we won't encrypt it. That's the two ends of the spectrum.” So one of the main problems with encryption is finding the correctly balanced position based on the risk appetite for the data in question. Fundamental to this is keeping the keys and data separately located. » Third party services. “Somewhere in the middle we may say, we will encrypt the data but we will encrypt it by way of an appliance or a third party application that sits between us and the cloud. Now there will be something in the middle that's
Using Information Protection and Control (IPC) Tools to Protect the Data 9 going to encrypt our data. We will trust this third party to manage the keys—think of a proxy server for instance that is sitting between us and the cloud storage. When we go through that proxy server it finds our sensitive data and encrypts it on the fly on its way to the cloud. In that case what we’ve done is we’ve moved the risk of key exposure away from the SaaS and on to the third party. If someone really wants to break in and have access to our data they'd have to break into the SaaS to steal the data and then break into the third party to steal the keys. So it raises the cost of the attack.” » In-house key storage. “If we’re really paranoid,” suggests Burns, “we might entrust the third party to manage the encryption, but keep the key management in- house,” perhaps within a dedicated hardware security module (HSM). None of this completely eliminates the threat, but it makes it more expensive for the bad guys to be successful. “That,” adds Burns, “is the real goal of a lot of security controls— trying to degrade the attackers’ ability, or make the cost so high they go someplace else.” Homomorphic Encryption Neither of these approaches solves the basic problem—we cannot manipulate encrypted data. “Let's say we store our encrypted data at Salesforce. Right now, if it's encrypted, Salesforce cannot search the data, they cannot manipulate the data, applications can't do anything with the data—because it's encrypted. To do so they would need the decryption key.” Here’s the dilemma. “If the goal is to not give Salesforce the decryption keys, then Salesforce is not really very useful. But if I do give Salesforce the keys, then I have weakened my ability to protect my data.” There is, however, an evolving technology that shows promise: homomorphic encryption. It offers the possibility of searching a database without having to decrypt it. It has been a theoretical possibility for many years, but the problems involved have not yet been fully solved. In 2011, MIT Technology Review1 noted, With homomorphic encryption, a company could encrypt its entire database of e- mails and upload it to a cloud. Then it could use the cloud-stored data as desired— for example, to search the database to understand how its workers collaborate. The results would be downloaded and decrypted without ever exposing the details of a single e-mail. 1 Homomorphic Encryption, MIT Technology Review: http://www2.technologyreview.com/article/423683/homomorphic-encryption/
Data-Centric Security 10 But in December 2013, Bob Gourley wrote for CTOvision2 : I have seen nothing in any of the research that makes me think a solution can be put in place that cannot be defeated by bad guys. And if that can’t be done then the solution will not solve any problems, it will just add processing overhead. So in the end I remain a skeptic regarding any claims of a working fully homomorphic solution. “The problem,” says Burns, “is that it is extremely slow. But it does show promise.” 2 IBM Claims Advances In Fully Homomorphic Encryption (and I’m claiming advances in an anti- gravity device), CTOvision.com: https://ctovision.com/2013/12/ibm-claims-advances-fully- homomorphic-encryption-im-claiming-advances-anti-gravity-device/
Using Information Protection and Control (IPC) Tools to Protect the Data 11 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.

Recommended

Comcast offering
Comcast offeringComcast offering
Comcast offeringCarlos Jorge
 
Opening Railway Station Delft
Opening Railway Station DelftOpening Railway Station Delft
Opening Railway Station DelftHarm Leseman
 
Empal gentong
Empal gentongEmpal gentong
Empal gentongJS Kamdhi Jayahadi Saputra
 
Resume_CA_Saumendranath_Ghose - PROJECTS
Resume_CA_Saumendranath_Ghose - PROJECTSResume_CA_Saumendranath_Ghose - PROJECTS
Resume_CA_Saumendranath_Ghose - PROJECTSCA Saumendranath Ghose
 
HANA Demystified by DataMagnum
HANA Demystified by DataMagnumHANA Demystified by DataMagnum
HANA Demystified by DataMagnumPrasad Mavuduri
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled PresentationJohaana Cedeño
 
Bentleys Agribusiness brochure
Bentleys Agribusiness brochureBentleys Agribusiness brochure
Bentleys Agribusiness brochureBrendan Goulding
 
Optimizing Kaleidoscope Juic'e Website Strategy to Attract Customer's
Optimizing Kaleidoscope Juic'e Website Strategy to Attract Customer'sOptimizing Kaleidoscope Juic'e Website Strategy to Attract Customer's
Optimizing Kaleidoscope Juic'e Website Strategy to Attract Customer'sEvelyn Rivera
 

Recommended

Comcast offering
Comcast offeringComcast offering
Comcast offeringCarlos Jorge
 
Opening Railway Station Delft
Opening Railway Station DelftOpening Railway Station Delft
Opening Railway Station DelftHarm Leseman
 
Empal gentong
Empal gentongEmpal gentong
Empal gentongJS Kamdhi Jayahadi Saputra
 
Resume_CA_Saumendranath_Ghose - PROJECTS
Resume_CA_Saumendranath_Ghose - PROJECTSResume_CA_Saumendranath_Ghose - PROJECTS
Resume_CA_Saumendranath_Ghose - PROJECTSCA Saumendranath Ghose
 
HANA Demystified by DataMagnum
HANA Demystified by DataMagnumHANA Demystified by DataMagnum
HANA Demystified by DataMagnumPrasad Mavuduri
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled PresentationJohaana Cedeño
 
Bentleys Agribusiness brochure
Bentleys Agribusiness brochureBentleys Agribusiness brochure
Bentleys Agribusiness brochureBrendan Goulding
 
Optimizing Kaleidoscope Juic'e Website Strategy to Attract Customer's
Optimizing Kaleidoscope Juic'e Website Strategy to Attract Customer'sOptimizing Kaleidoscope Juic'e Website Strategy to Attract Customer's
Optimizing Kaleidoscope Juic'e Website Strategy to Attract Customer'sEvelyn Rivera
 
ANGGOTA PAGUYUBAN PURNA WIDYA PRAJA
ANGGOTA PAGUYUBAN PURNA WIDYA PRAJAANGGOTA PAGUYUBAN PURNA WIDYA PRAJA
ANGGOTA PAGUYUBAN PURNA WIDYA PRAJAHamzah Laduny
 
Resume
ResumeResume
ResumeSolomon Gerra Cherie
 
PODIATRY INSTRUMENTS [SURGICOSE]
PODIATRY INSTRUMENTS [SURGICOSE]PODIATRY INSTRUMENTS [SURGICOSE]
PODIATRY INSTRUMENTS [SURGICOSE]SURGICOSE
 
INST. TECH
INST. TECHINST. TECH
INST. TECHSydney Heasley
 
Executive summaery Heptavite AF
Executive summaery Heptavite AFExecutive summaery Heptavite AF
Executive summaery Heptavite AFDr Syed Arshad raza
 
It's just a test!
It's just a test!It's just a test!
It's just a test!Amanda Wallace
 
Get Agile
Get AgileGet Agile
Get AgileAamplify_Jemma
 
Nelson Mandela quotes: A collection of memorable words from former South Afri...
Nelson Mandela quotes: A collection of memorable words from former South Afri...Nelson Mandela quotes: A collection of memorable words from former South Afri...
Nelson Mandela quotes: A collection of memorable words from former South Afri...learnafrica2
 
Driver recruitment and retention FTA-furnell.pdf
Driver recruitment and retention FTA-furnell.pdfDriver recruitment and retention FTA-furnell.pdf
Driver recruitment and retention FTA-furnell.pdfFlorida Trucking Association
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

More Related Content

Viewers also liked

ANGGOTA PAGUYUBAN PURNA WIDYA PRAJA
ANGGOTA PAGUYUBAN PURNA WIDYA PRAJAANGGOTA PAGUYUBAN PURNA WIDYA PRAJA
ANGGOTA PAGUYUBAN PURNA WIDYA PRAJAHamzah Laduny
 
PODIATRY INSTRUMENTS [SURGICOSE]
PODIATRY INSTRUMENTS [SURGICOSE]PODIATRY INSTRUMENTS [SURGICOSE]
PODIATRY INSTRUMENTS [SURGICOSE]SURGICOSE
 
Nelson Mandela quotes: A collection of memorable words from former South Afri...
Nelson Mandela quotes: A collection of memorable words from former South Afri...Nelson Mandela quotes: A collection of memorable words from former South Afri...
Nelson Mandela quotes: A collection of memorable words from former South Afri...learnafrica2
 

Viewers also liked (9)

ANGGOTA PAGUYUBAN PURNA WIDYA PRAJA
ANGGOTA PAGUYUBAN PURNA WIDYA PRAJAANGGOTA PAGUYUBAN PURNA WIDYA PRAJA
ANGGOTA PAGUYUBAN PURNA WIDYA PRAJA
 
Resume
ResumeResume
Resume
 
PODIATRY INSTRUMENTS [SURGICOSE]
PODIATRY INSTRUMENTS [SURGICOSE]PODIATRY INSTRUMENTS [SURGICOSE]
PODIATRY INSTRUMENTS [SURGICOSE]
 
INST. TECH
INST. TECHINST. TECH
INST. TECH
 
Executive summaery Heptavite AF
Executive summaery Heptavite AFExecutive summaery Heptavite AF
Executive summaery Heptavite AF
 
It's just a test!
It's just a test!It's just a test!
It's just a test!
 
Get Agile
Get AgileGet Agile
Get Agile
 
Nelson Mandela quotes: A collection of memorable words from former South Afri...
Nelson Mandela quotes: A collection of memorable words from former South Afri...Nelson Mandela quotes: A collection of memorable words from former South Afri...
Nelson Mandela quotes: A collection of memorable words from former South Afri...
 
Driver recruitment and retention FTA-furnell.pdf
Driver recruitment and retention FTA-furnell.pdfDriver recruitment and retention FTA-furnell.pdf
Driver recruitment and retention FTA-furnell.pdf
 

Recently uploaded

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 

Recently uploaded (20)

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

Wisegate Using IPC Tools to Protect Data

  • 1. 22
  • 2. Data-Centric Security 2 CONTENTS Data-Centric Security ..............................................................................................................3   Data Leak Prevention ..............................................................................................................5   Encryption................................................................................................................................7   Strengths of encryption ...........................................................................................................7   Weaknesses of encryption ......................................................................................................8   Approaches to encryption.......................................................................................................8   Homomorphic Encryption ........................................................................................................9   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
  • 3. Using Information Protection and Control (IPC) Tools to Protect the Data 3 In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from that survey. This current document is the third in a new series of reports designed to look more closely at four specific issues highlighted by that survey. » Metrics and reporting » Malware and data breaches » Data-centric security » Automation and orchestration Data-Centric Security More than 100 CISOs indicated that they considered malware and breaches of sensitive data to be the primary security risks/threats, followed by the malicious outsider. See Figure 1 below specifically, and the Malware and Data Breaches report in general for more details. When subsequently asked to specify which of a series of infrastructure controls they would give top priority during the next 3 to 5 years (see Figure 2), there was a clear preference among the CISOs for what can be described as data-centric controls over physical device controls.
  • 4. Data-Centric Security 4 Figure 1. Survey Question: What are your top three security risks? Source: Wisegate June 2014 Figure 2. Survey Question: Which of these Infrastructure controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014
  • 5. Using Information Protection and Control (IPC) Tools to Protect the Data 5 The most popular response to this question was DLP-style controls followed by application firewalls followed by encryption. “When we asked folks about the various types of controls they could install to protect their companies from those top three risks,” explains Bill Burns, lead author of the Assessing IT Security Risks survey, “what we noticed was that given the choice people were strongly preferring things that protect the data itself rather than protecting the device or the network or the host.” There are numerous reasons for this. Firstly, while traditional security products evolved to protect devices and the perimeters of trusted networks, the modern IT infrastructure can no longer be so easily defined. Most specifically, there is no longer a defensible perimeter. This is the effect of remote working on personal devices coupled with an increasing use of the cloud for both data storage and software as a service applications. Secondly, not only is there no specific perimeter to defend, there is also great difficulty in knowing where the data actually resides, or is currently residing. Copies of documents might simultaneously exist on multiple remote laptops or tablets; and the company may not know the geolocation of those devices. Thirdly, there is increasing acceptance that a persistent targeted attack will eventually breach the network. The combination of • Zero-day vulnerabilities (unknown and unpatched) • New or reworked malware (unknown to the anti-virus engines) • Susceptibility of almost anyone to eventually fall for sophisticated spear- phishing, combine to ensure that a determined and well-resourced attacker will inevitably get into the network. Unable to guarantee the integrity of their devices and networks, CISOs are turning towards defending the data itself, using the new category of security controls known as information protection and control (IPC). Broadly speaking (although not exclusively), the protection is provided by encryption technologies while the control is provided by data leak prevention (DLP) technologies. Sometimes both are made available in a single IPC product. Data Leak Prevention Data leak prevention (DLP) is possibly the best known and most popular sub-category of IPC products. “DLP in monitor mode,” explains Burns, “is where the control will detect and alert someone that I have just seen a file containing SSNs leave the protected server and
  • 6. Data-Centric Security 6 go out onto the internet—or I saw this sensitive data file containing credit card numbers leave someone's laptop.” The focus is no longer on locking down access to the device or application—there is an assumption that data will somehow get out. “The focus is now on where is the data, where is it going, and who is using it—rather than just locking the door and assuming that the lock will be sufficient to keep the bad guys outside and the data inside the house.” DLP was a hot topic a few years ago. “It got cold because it was too complicated,” suggested Burns, “and I think there was a lack of governance. Now I think it is getting hot again because there's more scrutiny from boards of directors, more scrutiny because risk managers are concerned about supply chain risk, and because people say, ‘Well, I may not have control over a server or the desktop—I can't lock it down because it's not mine, it's a third party or a personal device—but if I can get someone, or force someone, to install this DLP control on their device or funnel them on the network through my device, then I can get visibility into sensitive data moving around’.” One of the issues in using DLP is whether to use it in monitor mode or block mode. Monitor mode simply alerts the security team that something is wrong. Block mode prevents any further movement of the sensitive data. The problem with monitor-only mode is that by the time the security team has seen the alert and closed the door, the horse may have already bolted. Despite this, however, many companies keep DLP for reporting purposes only. Burns explains, “When you're monitoring, typically the alerts go to the security team; so they get extra work, but the user doesn't really see any change. When you put DLP into block mode, that's when you start affecting workflows, behaviors and business processes.” The usual sequence is for someone to say, ‘We need to install DLP, we need to track our sensitive data.’ “That gets you the budget,” says Burns, “but then people realize, wow, this is a lot of work to configure, and it’s really noisy. A team that doesn't have the wherewithal or the executive sponsorship may simply stop at reporting.” The original plan was probably to monitor for a while and get the configuration right, and only then when the tuning is good to turn on blocking mode. “But they get stuck in reporting mode. We're never going to get 100% accuracy, so at what point are we comfortable? You get into that never-ending quagmire of when do you leave the monitoring phase.” It takes, he added, “a huge amount of energy and focus and executive sponsorship to switch from monitor mode to block mode, because once you start blocking, then you start affecting the users' behaviors.” The Target breach is a case in point. Its IPC controls (probably not specifically DLP in this instance) provided the alerts, but the process of handling the alerts was not sufficiently
  • 7. Using Information Protection and Control (IPC) Tools to Protect the Data 7 established. The simple reality is that monitor mode DLP on its own is not an adequate security control. “You would never want to deploy DLP as a sole defense,” says Burns. “You would like to add it to a mix of layered defense to increase the chances of detecting a problem. So for instance, if you had DLP in monitor mode and it says, ‘This credit card database or file is trying to leave your secure enclave and is heading out to another network where it shouldn't be,’ whether it is in monitor or block that should be a sufficient alarm that says, ‘Gosh, I'd better go look into this.’ You basically want to make the attack as noisy as possible. You don't want someone to be able to silently come in and steal your data—you want to put detectors or alerts or monitors in place at a number of checkpoints, including the data itself.” Encryption The weakness of DLP in monitor mode—and indeed many other security controls—is that while they alert the security team to a potential problem, they do not in themselves secure the data. There is, however, one technology that does this with a very high degree of certainty: encryption. The problem is that encryption currently has limited application, and is very difficult to get right. Strengths of encryption » Secures the data. There are encryption algorithms readily available that are generally considered to be unbreakable. Although there are several caveats to this (some algorithms are known to have weaknesses, others have had weaknesses introduced, and the length of the encryption key is critical), a strong algorithm with an adequate key length well implemented will theoretically protect the data forever—wherever it is, and whoever has access to it (provided they don’t also have access to the encryption keys). » Compliance. Data that has been encrypted is generally considered to guarantee regulatory compliance. In some cases, encryption is specifically mandated by the regulations (such as PCI DSS). In other cases it is not specified by the regulations, but endorsed by the regulators (for example, the UK’s data protection regulator has advised that personal data stored in the public cloud will be in compliance with the Data Protection Act provided that it is encrypted; but that it probably is not in compliance if the encryption keys are stored with the same cloud provider). This leads us to the first major weakness in the use of encryption: key management.
  • 8. Data-Centric Security 8 Weaknesses of encryption » Key management. “The real problem with encryption is key management,” explains Burns: “managing all of the decryption keys and making sure that the right people and only the right people have keys, and that they are renewed when they expire... that’s really hard. It's much harder than managing the encryption.” Encryption works if the implementation is sound and all, but only, the right people have the keys. If the bad people have encrypted data but no keys, they don’t have the data. But if they do have the keys, they also have the data. » Inability to search data. The biggest practical problem in the use of encryption is that it makes it very difficult to perform operations on that data. Even a simple search operation is difficult because the encrypted target bears no relation to the unencrypted search term. Fixed or permanent data that doesn’t need to be processed (such as archived material) can be encrypted and stored; dynamic application data cannot. Approaches to encryption Economic realities are driving companies to the cloud. “The cost of running a server and storing data and operating an application is considerable,” explains Burns: “hence the movement to cloud SaaS applications. So companies are giving away control of their infrastructure; they're turning the capital expense into operating expense and making it consumption-based—which is all good.” But compliance is also driving companies towards encryption. “Now we're trying to figure out, how do I encrypt that data so that someone that I sort of trust, but not completely (the SaaS application administrators) can have access to the system without having access to my data?” The solution is to encrypt the data. “If it is extremely sensitive and valuable to the company, we will encrypt that data and make it completely unusable to the SaaS provider. We will make it hard for even ourselves to use that data because we understand that it is extremely valuable and sensitive. If it's not valuable at all, we won't encrypt it. That's the two ends of the spectrum.” So one of the main problems with encryption is finding the correctly balanced position based on the risk appetite for the data in question. Fundamental to this is keeping the keys and data separately located. » Third party services. “Somewhere in the middle we may say, we will encrypt the data but we will encrypt it by way of an appliance or a third party application that sits between us and the cloud. Now there will be something in the middle that's
  • 9. Using Information Protection and Control (IPC) Tools to Protect the Data 9 going to encrypt our data. We will trust this third party to manage the keys—think of a proxy server for instance that is sitting between us and the cloud storage. When we go through that proxy server it finds our sensitive data and encrypts it on the fly on its way to the cloud. In that case what we’ve done is we’ve moved the risk of key exposure away from the SaaS and on to the third party. If someone really wants to break in and have access to our data they'd have to break into the SaaS to steal the data and then break into the third party to steal the keys. So it raises the cost of the attack.” » In-house key storage. “If we’re really paranoid,” suggests Burns, “we might entrust the third party to manage the encryption, but keep the key management in- house,” perhaps within a dedicated hardware security module (HSM). None of this completely eliminates the threat, but it makes it more expensive for the bad guys to be successful. “That,” adds Burns, “is the real goal of a lot of security controls— trying to degrade the attackers’ ability, or make the cost so high they go someplace else.” Homomorphic Encryption Neither of these approaches solves the basic problem—we cannot manipulate encrypted data. “Let's say we store our encrypted data at Salesforce. Right now, if it's encrypted, Salesforce cannot search the data, they cannot manipulate the data, applications can't do anything with the data—because it's encrypted. To do so they would need the decryption key.” Here’s the dilemma. “If the goal is to not give Salesforce the decryption keys, then Salesforce is not really very useful. But if I do give Salesforce the keys, then I have weakened my ability to protect my data.” There is, however, an evolving technology that shows promise: homomorphic encryption. It offers the possibility of searching a database without having to decrypt it. It has been a theoretical possibility for many years, but the problems involved have not yet been fully solved. In 2011, MIT Technology Review1 noted, With homomorphic encryption, a company could encrypt its entire database of e- mails and upload it to a cloud. Then it could use the cloud-stored data as desired— for example, to search the database to understand how its workers collaborate. The results would be downloaded and decrypted without ever exposing the details of a single e-mail. 1 Homomorphic Encryption, MIT Technology Review: http://www2.technologyreview.com/article/423683/homomorphic-encryption/
  • 10. Data-Centric Security 10 But in December 2013, Bob Gourley wrote for CTOvision2 : I have seen nothing in any of the research that makes me think a solution can be put in place that cannot be defeated by bad guys. And if that can’t be done then the solution will not solve any problems, it will just add processing overhead. So in the end I remain a skeptic regarding any claims of a working fully homomorphic solution. “The problem,” says Burns, “is that it is extremely slow. But it does show promise.” 2 IBM Claims Advances In Fully Homomorphic Encryption (and I’m claiming advances in an anti- gravity device), CTOvision.com: https://ctovision.com/2013/12/ibm-claims-advances-fully- homomorphic-encryption-im-claiming-advances-anti-gravity-device/
  • 11. Using Information Protection and Control (IPC) Tools to Protect the Data 11 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.