1 / 18

Data Protection: Security from the Inside Out

Data Protection: Security from the Inside Out. Fred Langston, CISSP Global Product Manager VeriSign, Enterprise Security Services December 3, 2007. Introduction. Data-centric security starts from the smallest elements – the data itself

danielburrell
Download Presentation

Data Protection: Security from the Inside Out

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection: Security from the Inside Out Fred Langston, CISSP Global Product Manager VeriSign, Enterprise Security Services December 3, 2007

  2. Introduction • Data-centric security starts from the smallest elements – the data itself • So, do we really have good definition of ‘data’ when it comes to security? Consider the “value” and “impact” of an adverse event: • Regulatory impacts • Monetary impact of loss • Direct costs associated with loss • Recreation of data if lost • Loss of CIA – Confidentiality, Integrity and Availability • In essence, we must “know” our data intimately and how it’s used, valued, and protected • From this knowledge, we can create a framework for security that focuses on the most valuable asset – the data itself

  3. Today’s Headlines – December 3, 2007 • Data theft touches 150,000 Massachusetts seniors • Senior citizens who participate in a Massachusetts insurance program have received word that their personal information may have fallen into the hands of an identity thief. • UK government accuses Chinese of IT espionage • The British intelligence agency MI5 has warned 300 U.K. business concerns that their IT systems are under attack by Chinese state organizations. • Attackers exploiting unpatched QuickTime flaw. • Please note that the people attempting to compromise your system do work weekends: The QuickTime vulnerability for which proof-of-concept code was revealed Thursday went into full attack mode over the weekend, with two campaigns underway. • DBA Admits to Theft of 8.5M Records • A former senior database administrator at a subsidiary of Fidelity National Information Services last week pleaded guilty to stealing some 8.5 million customer records and selling them to data brokers.

  4. What are the causes of breaches? • Poor identity management • Poorly secured wireless • Unsecured physical assets • Application vulnerabilities • Lack of monitoring logs and IDS • Network architecture flaws; flat networks • Data leakage into the DMZ, spreadsheets, and access databases

  5. Store Less Data • What do you NEED to store? • What data is available to you? • What are the business and legal needs? • Where do you need to store this? • What is the risk associated? • Ask the hard questions! • Why do you need this? • What would you do without it? • What to do with risk? • Accept it (and face fines!) • Mitigate it • Insure it

  6. Data Security Problem #1 – Where’s the Beef, er, Data?! Data centric security starts by knowing: • What data is • What its value is • How to classify the data • Where the data: • Ingresses and egresses the enterprise • Is stored • Is processed • Is transmitted • Is retained • Is archived • Is destroyed

  7. Simple Solutions to Difficult Challenges • Understand your Data Flows • How many know their data flow end to end? • File shares – Word, Excel, and Access!! • Laptops & mobile devices • What about systems and application failures and crashes? • Dump files, Core dumps • Live Memory • Debugging extracts • Store Less Data • You don’t have to secure what you don’t have • Create a Data Protection Framework!

  8. Data Protection Frameworks • Data identification and valuation • BIA • Statement of Acceptable Risk • Policy • Data classification • Policy • Awareness of policy • Implementation maturity • Data mapping and flow analysis • Data-centric risk analysis or regulatory compliance gap analysis • Sensitive data minimization • Create data protection control standards based on: • Storage, transmission, and processing of data • Value of data • Regulatory of business impact of data breach

  9. Map your Data Flows

  10. Practical Tips for Avoiding Data Breaches • Address App & Net Vulnerabilities • Do you know the real risk? • Improve Security Awareness • People ARE the weakest link! • Monitor Systems for Intrusions • Monitor to Stop and Prevent • Filter outbound data based on data classification • Segment Networks • Still the most effective way to reduce attack surface • Encrypt, encrypt, encrypt! • Manage the Encryption keys properly

  11. Encrypt any Stored Data • Why is encryption so hard? • Legacy systems, more problems than encryption • Most platforms have some solution • Key management still is a massive problem • What are my options? • Retrofit applications • Use an encryption appliance • Use a database that supports encryption • Render unreadable without encryption (truncation, tokenization, hashing) • The Dangers of Encryption • Approach encryption enterprise wide and create a sound strategy • Keep in mind, encryption is needed elsewhere, not just around one system • Pesky data flows are required again!

  12. Address Vulnerabilities • Assess Applications • 45% of all Internet-based attacks occur at the application layer • Identify Poorly Coded Web Apps • Perform code review or application testing to ensure code is secure • Perform Quarterly Scans • And be sure to include applications • Implement Strict SDLC Processes • Try tracking vulnerabilities by developer

  13. Security Awareness & Training • People are your weakest security link! • Users do not take password controls seriously • Administrators tend to be bad offenders • Ongoing awareness training helps keep application vulnerabilities down • Proper training allows associates to find and disclose sensitive data • SSNs, DL, Account numbers • Laptops • Large data storage areas • Excel and Access

  14. Monitor Systems for Intrusions & Anomalies • Intrusion Detection/Prevention Strategies • Look for renegade egress devices like unauthorized wireless APs • Focus on an enterprise-wide logging and log management strategy • Implement Strict SDLC Processes

  15. Segmentation and Access Controls • Network Segmentation • Is anyone else tired of hearing this suggestion? • Why is it so critical? • What are additional benefits? • Resilience to Internal DoS • Centralized security* • Multi-Level Access Controls • 802.1x, is it finally ready? • VPNs (IPSec and SSL) • Centralized Identity Management • Wireless

  16. Final Thoughts and Future Considerations • Data protection is a continual process - think of data protection as a journey, not a project, and manage it that way • Other things to think of • Mergers and Acquisitions • New business lines • Global Operations • Wireless and Mobile Payments • SIM Based payments • Chip & Pin, Not Exempt! • Devices such as iPhones • Use data protection to fuel security program development throughout your enterprise • THERE IS NO SILVER BULLET!

  17. Questions + Answers

  18. Thank You Fred Langston, CISSP FLangston@VeriSign.com (425) 765-3330 For general information on VeriSign’s Security Services please email JMonahan@VeriSign.com or call (303) 886-1281

More Related