1 / 29

The Data Breaches You Don’t See Hurt You the Most

The Data Breaches You Don’t See Hurt You the Most. Presentation by Jonathan Lampe, CISSP VP, Product Management. www.IpswitchFT.com. Who is Ipswitch?.

regina
Download Presentation

The Data Breaches You Don’t See Hurt You the Most

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Data Breaches You Don’t See Hurt You the Most Presentation by Jonathan Lampe, CISSPVP, Product Management www.IpswitchFT.com

  2. Who is Ipswitch? Ipswitch is a global technology provider that enables companies and people to better manage their interactions regardless of size, scope and implementation needs. Most Visible Brands: • WS_FTP – world’s favorite secure FTP client (and server) • MOVEit – Managed File Transfer

  3. Who am I? • Creator and architect of MOVEit managed file transfer system • Since 2002 almost 1500 enterprise deployments • Generally high-security, Internet-facing exchanges with partners or loosely coupled divisions • Helped put Ipswitch into the Gartner “Leaders” quadrant • Security professional • SANS GIAC GCIA and GSNA in 2001, CISSP in 2008 • Point for FIPS (particularly 140-2), FISMA, ITAR initiatives • Implemented application security testing program and security training programs in Ipswitch (4 CISSPs, 6 other security certifications)

  4. How does your data flow? IntegrationTechnologies SOATechnologies BPMTechnologies

  5. How does your data flow? • According to Gartner… • 20% (by volume) is service messages • Transactions, SOAP, MQ, distributed database calls, etc. • $10B/yr. industry dedicated to this (IBM, Oracle, TIBCO, etc.) • 80% (by volume) is batch and file transmissions • Zip, ACH, XML documents, database extracts, designs, etc. • $0.5B/yr. industry dedicated to this (Ipswitch, Axway, Sterling, etc.) • Growing by 25%/yr.

  6. What do I need to know about my data flows? C I A ?

  7. What do I need to know about my data flows? • Depends on your security policy, but if you’re covered by: • FISMA, ITAR, PCI, HIPAA (HITECH), Mass 201 CMR 17,etc. • You need: • Integrity: data is same at points A and D is identical • …even after passing through points B and C • Confidentiality: only those who should get access can get access • …and good access records from all points on path of transit • As an IT professional, you’ll want: • Availability – (many regulations just assume it)

  8. How well are we watching our data flows?

  9. How well are we watching our data flows? • 2009 Osterman Research white paper • 67% said they had “Security and Compliance” problems with “business-to-business” or “person-to-person” file transfers • 53% said they had “Security and Compliance” problems with “system-to-system” file transfers • Ipswitch survey at RSA 2010 (San Francisco) • 70% said company had “no” visibility into files moving externally • 54% said company had “no” visibility into files moving internally

  10. “Managed” File Transfer

  11. “Managed” file transfer: table stakes • Protocols, Algorithms, etc. • FTP, SFTP, FTPS, Browser-based, Email • SSL/TLS, SSH, PGP, AS2, SHA, AES, PKI • Scheduled transfers, ad hoc transfers, restart partial transfers • End-to-end integrity or reliable data transformation (“ETL lite”) • Enterprise architecture • HA (“High Availability”) • DMZ segments and tiered deployments • Integration w/ LDAP and enterprise databases • Extensive logging

  12. Who’s shaking up the industry?

  13. Who’s shaking up the industry? “Prosumers” • changing expectations of what file transfer is Risk management • asking for more and better governance

  14. “Prosumers” are speaking • Prosumer = “Professional Consumer”, someone who buys technology to use primarily for business • Hardware: cell phones, laptops, iPod, etc. • Online services: Gmail, Flicker, YouSendIt, etc. • They alter expectations of IT • Not only “support my device”, but user experience, service level • They circumvent IT (and organizational security policy) • “Did you mean to share your IntelProp with Google?” • Top services report up to 65% for their free users are using a corporate email address (Gartner)

  15. Do you ban any of these?

  16. How big a problem is this? • 2009 Osterman Research white paper • “Email has become primary method for transferring files both within and outside of the organization.” • 29% of all new emails have attachments • 6% of attachments are >10MB • IT adds attachment size limits • Prosumers reaction (actual vs. IT policy allowed) • Personal email: 82% actual vs. 18% OK in policy • (At RSA, 66% self-reported this to Ipswitch) • Consumer IM: 71% actual vs. 29% OK in policy • Web-hosted file transfer: 51% actual vs. 49% OK in policy • IT provided service: 48% actual vs. 52% OK in policy

  17. How do you handle the Prosumers? &

  18. How do you handle the Prosumers? • Carrot • Give them wider device and service choices • Not “no” - “we use X for that” • Give good support on the chosen technologies • At some level, “it just works” will trump “oh shiny” • Free AV, health checkups, etc. • Stick • Condition of employment? (Probably not.) • SLA and education: • “we can do that for you, or you’re on your own” • Tune the gateways to block or hinder non-approved technology • Truly monitor for dangerous activity • Data dumps, unusual destinations, etc. • Let the auditors in on this

  19. Last word on Prosumers • You’ve handled this before with: • Mobile devices, wireless networks, web browsers, PC revolution, etc. • But don’t delay either…

  20. Who has this? Can you vouch for ALLthese lines?

  21. Evolving security function… • Regulations that cover both IT and corporate procedure continue to be developed • PCI DSS, FISMA, SAS 70, HIPAA HITECH • As a software vendor, I can only solve PART of these • As an IT Manager, you can only solve a larger PART of these • As a Risk Manager, you are charged with solving ALL of these • CISO and other security functions are either folded into or closely aligned with Risk Management

  22. From risk mgt. POV, what’s the difference? FTP, NDM, AS2 MQ, HTTP, JMS SMTP, HTTP

  23. What management craves: governance How do we track every interaction (transfer or management)? How do we display status and issues in a near-realtime basis? What do we need to report on and how do we do it? • How do we control the interactions between our transactions, users and systems? • Workflow, transformation, splitting, merging, etc. • Group access and interaction • Prosumer needs Visibility Management • Security policy enforcement: • Encryption, authentication, permissions and access control • Automatic reaction and alerts Enforcement Quantitative “metadata” about flows, usage and performance. Used for ROI and risk mitigation calculations, among other things. Measurement Can it be done: • w/ existing infrastructure? • quickly? • w/o interruption? • How fast/easy can we add partners, employees, others? • What is migration path? • Who can do the work? Provisioning • How do we ensure (test) that: • visibility is sufficient • policy is being enforced • measurements are accurate • provisioning actually occurs? Validation Six Governance Categories from 2009 Gartner Magic Quadrant on Managed File Transfer

  24. (A break for your eyes)

  25. When data moves, do you listen? • Acceptable use • Confidentiality, Integrity and Availability • Sniffers, audits, SEIM, network monitoring • Defined paths, correct endpoints • DRM (“Digital Rights Management”) • DLP (“Data Loss Prevention”) • Malicious use • AV, malware, IDS • Efficient use • Workflow, scheduling, ETL (“Extract, Transform Load”), EDI • Are you collecting the right information? • Do you know how to use it?

  26. The future? • Integration with authentication, data store and transport technology has been important to date • LDAP/AD, NAS/SAN, firewalls, load balancers, etc. • Integration with reporting and business intelligence will become more important • SysLog, Event Logs, DB schemas/warehousing, SNMP, etc. • Dashboards, status, file lifecycle, pathing, aggregation, etc. • Industry convergence or integration • We saw this when the prosumer-friendly file send vendors appeared • More from ETL, EDI, AV, DLP and DRM industries

  27. (almost to the finish)

  28. Take-Aways • 80% of corporate data flows are “file transfer” • 70% lack insight into these flows, especially when they involve customers and partners • There IS a “file transfer” industry that addresses these needs • Know what the table stakes are before shopping • Two factors are shaking up file transfer • “Prosumer” are shaking up expectations of what file transfer is • Risk management is asking for more and better governance • Future will reward integrated solutions

  29. Questions or Other Follow-Up? • Contact Jonathan Lampe, CISSP, VP PM Ipswitch File Transfer • jlampe@ipswitch.com • http://blog.ipswitchft.com/ • Also on Linkedin • Managed File Transfer Group • File Transfer Technology Group

More Related