a practical approach to data loss prevention n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
A Practical Approach to Data Loss Prevention PowerPoint Presentation
Download Presentation
A Practical Approach to Data Loss Prevention

Loading in 2 Seconds...

share
play prev play next
play fullscreen
1 / 21

A Practical Approach to Data Loss Prevention - PowerPoint PPT Presentation

  • 213 Views
  • Uploaded on

A Practical Approach to Data Loss Prevention. Richard Trezza, CISSP DLP Enterprise Solution Architect McAfee, an Intel Company Institute of Internal Auditors Long Island Chapter Annual Conference Melville Marriott Hotel May 10, 2013. Agenda. Welcome to the Wild West 2.0

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

A Practical Approach to Data Loss Prevention


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a practical approach to data loss prevention

A Practical Approach to Data Loss Prevention

Richard Trezza, CISSP

DLP Enterprise Solution Architect

McAfee, an Intel Company

Institute of Internal Auditors

Long Island Chapter Annual Conference

Melville Marriott Hotel

May 10, 2013

agenda
Agenda
  • Welcome to the Wild West 2.0
  • Privacy versus Protection
  • Different Languages
  • “Private Data” or “Personal Data”
  • Best Practices
welcome to the wild west 2 0
privacy versus protection
privacy versus protection1
Privacy versus Protection
  • Does a Reasonable Expectation of Privacy Exist in Cyberspace? What about at Work?
private data or personal data
“Private Data” or “Personal Data”

It depends where in the world you are:

  • Australia = Personal Information
  • India = Sensitive Personal Data
  • Canada = Personal Information
  • Brazil = Personal Information
  • Germany = Personal Data
  • Netherlands = Dutch Works Council Definition
  • United States = Varies Based on State Laws
private data or personal data1
“Private Data” or “Personal Data”

What is kind of data is “Private” or “Personal”?

Some details are obvious:

Name, Address, Phone, Gender, Religion, Age, Identity Number (SSN), Primary Account Numbers (PAN), etc.

Some details are not:

MAC Address, IP Address, Computer type, Browser, Smartphone Brand, City

data classification is key
Data Classification is Key

Defines what data is “Private”, “Personal” or “Company Confidential” and how said data shall be protected. It also specifies who does what if data is breached.

framing the data loss problem

Data-in-Motion

Data-in-Use

Data-at-Rest

Framing The Data Loss Problem

Data Loss Vectors

Data Types

Network

IM Chat

Email

Web Post

File Share

Database

Desktop Laptop

Removable Media

Printer

Screen

Clipboard

ubiquitous access compounds risk
Ubiquitous Access Compounds Risk

People have numerous accounts

People have multiple devices

People don’t perceive they have data to lose

Data is co-mingled all over the cloud

People don’t perceive they have data to lose

mobile data loss prevention similar yet different
Mobile Data Loss PreventionSimilar, Yet Different

Similarities to PC

Unique to Mobile

Mobile OSes are closed and diverse

CPU, memory, battery and performance limitations

New and expanded privacy concerns (lost devices, permission abuse)

More attack channels (SMS, 4G, Bluetooth, NFC, WiFi, SD Card...)

Increasing reliance on the cloud

Critical mass of devices with rich data…attractive to cybercriminals

Valuable personal and business data resides and flows through the devices

Software vulnerabilities that create exploit opportunities

Traditional threats (Phishing, Rootkits, Key Loggers, Polymorphics)

Text here

Text here

Source: McAfee Labs April 2012

the challenges of bring your own device byod
The Challenges of Bring Your Own Device (BYOD)

People have numerous accounts

People have multiple devices

People don’t perceive they have data to lose

Data is co-mingled all over the cloud

People don’t perceive they have data to lose

there is no silver bullet technology
There is NO “Silver Bullet” Technology
  • A comprehensive approach is needed…
  • A combination of:
    • Technologies
    • Best practices
    • Business processes
    • Well Defined & Communicated Policies
desktop virtualization simplifies data loss risk in byod environments
Desktop Virtualization Simplifies Data Loss Risk in BYOD Environments

Data remains on server, in your datacenter

Users view/consume data, but cannot download to their system

Loss vectors are reduced (USB, DVD) and transmissions controlled through Organization’s Data Center

desktop virtualization simplifies data loss risk
agenda1
Agenda
  • Welcome to the Wild West 2.0
  • Privacy versus Protection
  • Different Languages
  • “Private Data” or “Personal Data”
  • Best Practices
best practices
Best Practices
  • Understand your Business
    • Are you a data broker selling information?
    • Are you a marketing firm buying data?
    • Are you a manufacturer with Intellectual Property to protect?
  • Identify the data are you collecting and storing
    • Customers, Employees, Users of your Web Site
    • Only collect data that you NEED or USE
    • Don’t collect data that you don’t NEED or USE
  • Do customers, users or employees have an expectation of privacy?
    • What do your policies say? Revise as needed
best practices1
Best Practices
  • Do you have a privacy policy and does it clearly state what data is collected, how it will be used and how it will be protected (adequate security)?
    • Has the policy been communicated to employees, customers and partners?
    • Do they understand the policy?
  • Do you audit for compliance with the privacy policy?
    • Monitoring for compliance is complicated because European Nations have “Works Councils” that must approve monitoring for data loss and compliance
    • Germany, Netherlands, Belgium are examples
    • Always seek approval in local Countries
best practices2
Best Practices
  • European Laws prohibit transmission of EU Citizen data outside of the EU
    • Unless the recipient maintains the same levels of protection and privacy safeguards as the EU
  • Anonymous data is safest
    • Don’t combine Names, Account Numbers unless absolutely necessary
    • If monitoring for compliance, clearly identify what is being monitored and require “four eyes” to identify users transmitting data
  • Always Encrypt “personal data” when stored or transmitted
best practices3
Best Practices
  • Seek Legal Advice and Executive Sponsorship
    • Utilizing and protecting data without compromising privacy in Global markets is among the most complex, dynamic IT problems today
    • Communicate these considerations with Management
slide21

A Practical Approach to Data Loss PreventionQuestions? Richard Trezza, CISSPDLP Enterprise Solution ArchitectMcAfee, an Intel CompanyRichard_Trezza@mcafee.com