1 / 49

企業機密文件安全防護現況與未來

企業機密文件安全防護現況與未來. 許瑞愷 rickysheu@thu.edu.tw. Outline. 企業機密安全需求 資料安全防護解決方案與演進 新一代機密文件安全防護技術與趨勢 結論. 營收損失. 組織聲譽受損. 產品設計圖. 策略發展. 建廠藍圖. 決策資訊. 專利權. 產品配方. 投資者信心動搖. 遺失或洩漏資料. 合約資料. 製程說明書. 電腦程式. 知識管理. 未公佈財會資料. 客戶資料. 影響顧客對組織的信任. 商務處理流程 中斷. 法律後果. 資訊安全對企業的重要性. 早期資安重點 – 防駭、防毒. 防火牆.

keefe-jimenez
Download Presentation

企業機密文件安全防護現況與未來

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 企業機密文件安全防護現況與未來 許瑞愷 rickysheu@thu.edu.tw

  2. Outline • 企業機密安全需求 • 資料安全防護解決方案與演進 • 新一代機密文件安全防護技術與趨勢 • 結論

  3. 營收損失 組織聲譽受損 產品設計圖 策略發展 建廠藍圖 決策資訊 專利權 產品配方 投資者信心動搖 遺失或洩漏資料 合約資料 製程說明書 電腦程式 知識管理 未公佈財會資料 客戶資料 影響顧客對組織的信任 商務處理流程 中斷 法律後果 資訊安全對企業的重要性

  4. 早期資安重點 – 防駭、防毒 防火牆 木馬 DOS攻擊 病毒 垃圾郵件

  5. 目前企業資安問題 • 台積電與中芯半導體訴訟 • 一名台積電離職員工,在轉任上海的中芯半導體顧問之前,疑似透過電子郵件,將晶圓製程的機密資料轉交給中芯國際。 • 台積電以“侵犯商業機密”為由將中芯國際告上美國法院。 • 訴狀中指出,中芯透過台積電跳槽員工為其提供商 業秘密等各種不當方式侵犯台積電專利,台積電並訴請 禁制令處分及相關損害賠償。 2005年1月 和解協議: • 中芯將在六年內以分期方式支付台積電一億七千五百萬美元。 • 台積電也將撤銷在美國聯邦法院、美國加州地方法院、美國國際貿易委員會、以及新竹地方法院所有正在進行中的訴訟案件。 • 台積電仍保留再提告訴的權利。 • 協議中同時載明,到二零一零年十二月底止,雙方將就相關專利進行交互授權。

  6. 目前企業資安問題 • 先探投資周刊 更新日期:2008-08-14 記者:文.許家綸 • 挖富士康牆角 比亞迪從貓咪成老虎 • 自○三年起比亞迪就已經向富士康挖角,○五年時,多名高級管理階層轉投比亞迪,且未信守員工保密協議,把多份保密文件帶走,設立一個與富士康相似的生產流程。站在諾基亞的角度來看,富士康在手機代工市佔率過高,因此也想要以比亞迪來制衡其勢力。富士康在多方夾擊之下,只能藉由法律訴諸權利及立場,警告意味較為濃厚。但到最後,可能就會像之前與三洋的紛爭一樣,以和解收場。因此比亞迪的財報上,並不擬對此訴訟案提撥可能的損失準備。

  7. 目前企業資安問題 – 洩密 重要 文件 資料

  8. 業務 行銷 研發 規畫 採購 生產 派送 服務 企業機密資料? • Over 80% of enterprise content is unstructured (Fulcrum Research) • Content volume is growing by over 200% per year (Forrester Research) • 非結構化資料 • Operation instructions, Contracts, Design documents and drawing, Marketing reports, Patten, Production plans, Receipts, …. Unstructured

  9. 廣泛的非結構性資料 • Manufacturing • Quality Management Plan • Customer Survey • Standard Operating Procedures • Audit Reports • Presentations • Facilities • Seating Chart • Networking Charts • Equipment Lease • Procedures • Building Lease • Training • Tech Tips • MSDS • Drawings • SOPs • Tooling Diagrams • Setup Instructions • NC Data • SPC Data • Batch Records • Recipes • Equipment Records • Manuals • Tooling • Design • Specification • Support • Tech Tips • Problem Analysis • Bug Report • Case Report • Configuration Worksheets • Call Tracking Report • Case Resolution • Training • Finance and Legal • Contracts • Licenses • Schedules • Correspondence • Invoice • Budgets • Reports • Contracts • Shipping Statements • Usage Reporting • 10K report • 10Q report • 114 report • Sales • Account Plan • Customer Commitment • Order/Quote • Proposal • Correspondence • Presentation • Demo Scripts • Status Reports • Forecast • Confidential Disclosure • Marketing • Collateral • Position Paper • Press Release • Newsletter • Presentation • Services Request Form • Competitive Analysis • Training Overviews • Training Presentations • News Clippings • Competitor Information • Analyst Reports • Launch Plan • Seminar Plan • Trade Show Plan • Partner Plan • ROI Study • Application Profile • Customer Profile • Industry Profile • Price List • Pricing Analysis • Pricing Proposals • Product Plan • Ad Plan • Analyst Presentation • Human Resources • Personal Action Notice • Benefits Election • Benefits Statements • Resume • Performance Reviews • Training Certification • Personal Information • Policies and Procedures • Mission Statement • Core Values • Objectives • Corporate Directory • Memo • Purchase Request • Expense Form • Services • Methodology • Work Breakdown Structure • Requirements • Implementation Plan • Recommendation/Plan • Questionnaire • Data Collection • Design Documents • Specification Documents • Test Plans • Test Results • Documentation • Training Plan • Training • Configuration Plan • Configuration Inventory • Risk Management • Installation Plan • Conversion Plan • Product Development • Product Proposal • MRD • Project Plan • PDP Check List • Functional Spec • Design Spec • Software • Check In Notice • Test Plan • Test Result • Tech Pubs Plan • Documentation • Support Plan • Training Plan • Launch Plan • Beta Plan • Manufacturing Plan • Evaluation • Transition Plan • Bill of Materials • Packaging Material • Internationalization Plan • Meeting Minutes • Prototypes/Research • Contract for Services • Letter of Understanding • Nondisclosure • Schedule • OEM Contract • VAR Contract • Activity Reports • Build Procedures • Executives • Strategic Plans • Budgets • Status Reports • Industry Research • Application Definition • Industry Profile • Process Profile • Company Profile Average Company: 200-300 Types of Content

  10. 機密資料外洩風險? • 文件生命週期流通風險

  11. 其他的合作對象呢? – View & Measure? $ 溝通與 協同合作 專案管理 $ 資源管理 組合管理 風險 修正 企業內資料流通劇情 – 產品設計文件 產品概念 規格定義 工程樣品 設計驗證 試產與品管 量產與變更 Management Legal Sales Finance Proposals MarComm Provisioning Marketing Testing Support Manufacturing Engineering Logistics R&D Operations Regulation Compliance Procurement 現有 CAD 工具與設計變更 管理系統所涵蓋的流程範圍

  12. 機密資料外洩風險? • 新型流通設備、技術造成外洩風險

  13. 員工不當存取 員工離職 Email傳輸 即時訊息傳遞 木馬程式 檔案安全威脅點 供應商/客戶 未遵守保密協定 電腦週邊設備存取 日益增多的資訊安全洩密威脅 軟、硬體維運不當 間諜軟體 FTP傳輸

  14. 文件安全防護解決方案演進 • SecureEnvelop • DRM(DigitalRightsManagement) • DLP(DataLossPrevention) • TransparentDocumentProtection

  15. PDF (Secured) PDF (Secured) DMS PDF Source File PDF 新竹 (Secured) Source File SecureEnvelop • 一般Web化的文件分享與管理系統 Review Check Out Publish/Check In 台中 (Secured)

  16. Document Convert Server DMS Server PDF Source File Secure Envelop 儲存內容加密 Document Repository 傳輸過程加密 Publish/Check In 傳輸過程加密 Content Server Https (SSL) XML-Based Content DRM Solution (內容加密、保護)

  17. Secure Envelop 案例 R&D Designer QC Engineer CAD Native Files Protected Share/Public Folder Automatic Processes Actify Publisher DMP Multi-site File Server DMP Server

  18. 原始檔案依然被竊取!

  19. DRM DRM DRM Digital Rights Management • C-DRM • E-Books • Music (Media Player) REL

  20. C-DRM 機制

  21. C-DRM 架構

  22. C-DRM 流程

  23. Email File system Content Server Compliance Content Management Records Management Intranet/Extranet SharePoint E-DRM 需求現況

  24. E-DRM 架構 • E-DRM: Enterprise DRM • Solution isolated from existing systems

  25. E-DRM Policy

  26. E-DRM技術架構圖 E-DRM: Enterprise DRM DRM

  27. E-DRM 案例 無MS World Plug in 無法開啟被加密之文件 文件雖被複製,還是無法洩密

  28. E-DRM 案例 要開啟已加密之文件,需先登入DRM Server 驗證身份,才能開啟文件

  29. DRM 面臨的困難 • 戰國時代,無法統一世界加解密標準 • 檔案格式複雜,各家不願意妥協

  30. DRM 面臨困難 • 資安政策制訂與執行困難 • 作者決定Policy? • 公司決定Policy? • 公司高層配合?

  31. 保護再進化 – 全面性防堵!! • DLP • Data Loss Prevention is a computer security term referring to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders. It is also referred to by various vendors as Data Leak Prevention, Information Leak Detection and Prevention (ILDP), Information Leak Prevention(ILP), Content Monitoring and Filtering (CMF) or Extrusion Prevention System by analogy to Intrusion-prevention system.

  32. DLP

  33. DLP • Data at rest • includes scanning of storage and other content repositories to identify where sensitive content is located. We call this content discovery. • Data in motion • sniffing of traffic on the network (passively or inline via proxy) to identify content being sent across communications channels. • Data in use • endpoint solutions that monitor data as the user interacts with it. For example, they can identify when you attempt to transfer a sensitive document to a USB drive and block it. It also detects things like cut and paste, or use of sensitive data in an unapproved application.

  34. DLP Technologies • Data Discovery and Protection • Keyword matching • Content filtering • Data Monitoring and Prevention • Intrusion detection • Content collection/recognition

  35. DLP 案例 – Vontu acquired by Symantec

  36. DLP 案例

  37. DLP 案例

  38. DLP 案例

  39. DLP 案例

  40. DLP 案例

  41. 透過即時通訊軟體傳遞重要檔案 透過email傳輸重要檔案 透過網路儲存於其他未加密磁碟 資料/URL 過濾 網路/硬體禁用 AP禁用 磁碟加密 檔案明文閱讀 文件安全防護 – 未來趨勢 檔案生成 儲存 內外部分享 • 既有層層防堵的機制

  42. 檔案生成自動加密 儲存時 檔案加密 閱讀時 檔案加密 傳輸時 檔案加密 文件安全防護 – 未來趨勢 檔案生成 儲存 內外部分享 • 從文件生成、儲存起點加密

  43. User Mode IO Operations I/O Manager IRP + FastIO + FsFilter Interfaces Minifilter Filter Manager Frame 1 (1000-9999) Minifilter Minifilter Legacy Filter Driver Minifilter Filter Manager Frame 0 (0-1000) Minifilter FAT NTFS RDR 文件安全趨勢– 透明加解密

  44. Conceptual IO Flow Conceptual IO Flow MiniSpy Filter (Altitude: “400”) AntiVirus Filter AntiVirus Filter (Altitude: “300”) (Altitude: “300”) MiniSpy Filter (Altitude: “200”) Encryption Filter Encryption Filter (Altitude: “100”) (Altitude: “100”) Volume Volume c: “LanmanRedirector” 文件安全趨勢– 透明加解密 • Instance: A filters attachment to a volume at a particular altitude • Support multiple instances of a minifilter on a volume • Altitude determines relative stack position

  45. 透明加解密 – 案例 • Demo

  46. 問題與討論

More Related