Get documents about "Securing Sensitive Information
Shared by: liamei12345
-
Stats
- views:
- 3
- posted:
- 10/16/2011
- language:
- English
- pages:
- 37
Document Sample
Securing Sensitive
Information
Discovery, Monitoring and Control
Robert Griffin
Director, Technical Marketing
RSA, the Security Division of EMC
What’s Happening To Customer / Employee Data
2 Source: Privacy Rights Clearing House, Data Loss Database, RSA Research & Analysis
Cost of Data Breaches
Average Cost Per Breach Breach Costs Break Down
Average Cost Per Breached Record
Tangible financial impact
Long-term damage to brand equity
Total cost per breach is increasing
44 US States have notification laws
EU & Australia data privacy policies
3
Source: Ponemon Institute 2008 Annual Study on Cost of a Data Breach
Challenge: Expanding Information
Endpoint Network Apps/DB FS/CMS Storage
Enterprise Production File Server Backup Tape
Applications Database
Internal Employees
Business Replica SharePoint Disk Backup
Analytics eRoom, etc. Arrays Disk
Challenge: Expanding Identities
Remote Employees Partners Customers
Channels Channels Channels
Partner Entry Points Customer Entry Points
VPN
Endpoint Network Apps/DB FS/CMS Storage
Contractors Privileged Users Privileged Users Privileged Users Privileged Users
Enterprise Production File Server Backup Tape
Applications Database
Internal Employees
Business Replica SharePoint Disk Backup
Analytics
A l ti eRoom etc.
eRoom, etc A
Arrays Disk
Challenge: Expanding Infrastructure
Mobility Cloud
Remote Employees Partners Customers
Partner Entry Points Partner Entry Points
VPN
Endpoint Network Apps/DB FS/CMS Storage
Privileged Privileged Privileged Privileged
Contractors
Users Users Users Users
Virtualization
Internal Enterprise Backup
Apps File Server Tape
Employees Production
Disk Arrays
Replica SharePoint
eRoom, etc.
p
Backup
B i
Business Disk
Analytics
Challenge: Increasing Threats
Remote Employees Partners Customers
IP Sent to Channels App, DB or Encryption
Channels Channels Stolen
Stolen IP Fraud
non trusted user Key Hack Credentials
Partner Entry Points
P E P i Partner Entry P i
P E Points
VPN
Endpoint Network Apps/DB FS/CMS Storage
Contractors
Endpoint
Network Users
Privileged Leak Privileged Users
Privileged Privileged Users
Inappropriate Privileged Users
Tapes lost or
Email-IM-HTTP-
theft/loss FTP-etc. User Breach Access stolen
Enterprise Production File Server Backup Tape
Public Applications Database
Data Leak
Internal Employees Unintentional (Semi) Trusted Discarded disk
Infrastructure
Via USB/Print Access Hack Distribution User Misuse exploited
Business Replica SharePoint Disk Backup
Analytics R
eRoom, etc. Arrays Di k
Disk
Challenge: Increasing Regulation
Sarbanes-Oxley Act (SOX) ~ PCAOB ~ SAS 94 ~ AICPA/CICA Privacy Framework ~ AICPA Suitable Trust Services Criteria ~ SEC Retention of Records, 17 CFR 210.2-06 ~
SEC Controls and Procedures, 17 CFR 240.15d-15 ~ SEC Reporting Transactions and Holdings, 17 CFR 240.16a-3 ~ Basel II ~ BIS Sound Practices for the Management and
Supervision of Operational Risk ~ Gramm-Leach-Bliley Act (GLB) ~ Standards for Safeguarding Customer Information, FTC 16 CFR 314 ~ Privacy of Consumer Financial
Information Rule ~ Safety and Soundness Standards, Appendix of 12 CFR 30 ~ FFIEC Information Security ~ FFIEC Development Acquisition ~ FFIEC Business Continuity
Planning ~ FFIEC Audit ~ FFIEC Management ~ FFIEC Operations ~ NASD ~ NYSE ~ Recordkeeping rule for securities exchanges SEC 17 CFR 240 17a 1 ~ Records to be exchanges, 240.17a-1
made by exchange members, SEC 17 CFR 240.17a-3 ~ Records to be preserved by exchange members, SEC 17 CFR 240.17a-4 ~ Recordkeeping, SEC 17 CFR 240.17Ad-6 ~
Remote Employees Partners Customers
Record retention, SEC 17 CFR 240.17Ad-7 ~ HIPAA (Health Insurance Portability and Accountability Act) ~ HIPAA HCFA Internet Security Policy ~ NIST Introductory Resource
Guide for [HIPAA] (800-66) ~ CMS Core Security Requirements (CSR) ~ CMS Information Security Acceptable Risk Safeguards (ARS) ~ CMS Information Security Certification &
Accreditation (C&A) ~ FDA Electronic Records; Electronic Signatures 21 CFR Part 11+D1 ~ Federal Energy Regulatory Commission (FERC) ~ North American Electric
Reliability Council (NERC) ~ VISA CISP (Cardholder Information Security Program) ~ Mastercard SDP (Site Data Protection) Program ~ American Express DSS (Data Security
Standard) ~ PCI DSS (Payment Card Industry Data Security Standard) ~ FTC ESIGN (Electronic Signatures in Global and National Commerce Act) ~ Uniform Electronic
Transactions Act (UETA) ~ FISMA (Federal Information Security Management Act) ~ FISCAM (Federal Information System Controls Audit Manual) ~ FIPS Security Requirements for
Channels Channels
Cryptographic Modules 140-2 ~ FIPS Guideline for the Analysis of LAN Security Channels Application Profile for GILS 192 ~ Clinger-Cohen Act (Information Technology
191 ~ FIPS
Management Reform Act) ~ National Strategy to Secure Cyberspace ~ GAO Financial Audit Manual ~ DOD ...Standard for Electronic Records Management Software...5015-2 ~
CISWG Report on the Best Practices Subgroup ~ CISWG Information Security Program Elements ~ NCUA Guidelines for Safeguarding Member Information 12 CFR 748 ~ IRS
Partner Record retention:
y Partner Entry 98 25
processing… Points
Revenue Procedure: Retention of books and records 97-22 ~ IRS Revenue Procedure: Entry Points automatic data processing y 98-25 ~ IRS Internal Revenue Code Section
97 22
501(c)(3) ~ Federal Rules of Civil Procedure ~ Uniform Rules of Civil Procedure ~ ISO 15489-1 Information and Documentation: Records management: General ~ ISO 15489-2
VPN
Information and Documentation: Records management: Guidelines ~ DIRKS: A Strategic Approach to Managing Business Information ~ Sedona Principles Addressing Electronic
Document Production ~ NIST ...Principles and Practices for Securing IT Systems 800-14 ~ NIST ...Developing Security Plans for Federal Information Systems 800-18 ~ NIST
Security Self-Assessment Guide... 800-26 ~ NIST Risk Management Guide... 800-30 ~ NIST Contingency Planning Guide... 800-34 ~ NIST ...Patch and
8 0 0 - 4 1
Endpoint
Incident Handling Guide 800-61
20% of IT staff time
V u l n e r a b i li t y M a n a g e m e n t P r o g r a m 8 0 0 - 4 0 ~ N I S T G u i d e l in e s o n F ir e wa l l s a n d F i r e wa l l P o l ic y
~ N I S T S e c u r i t y C o n t r o l s f o r F e d e r a l I n f o r m a t i o n S y s t e m s 8 0 0 - 5 3
Network
800-64 ~ ISO 73:2002 Risk management -- Vocabulary ~ ISO 1335 Information technology – Guidelines
Apps/DB
M a p p i n g . . . I n f o r m a t i o n a n d . . . S ys t e m s t o S e c u r i t y C a t e g o r i e s 8 0 0 - 6 0
~ NIST Security Considerations in...Information System Development
FS/CMS Storage
~ N I S T . . .
~ N I S T C o m p u t e r S e c u r i t y
for
management of IT Security ~ ISO 17799:2000 Code of Practice for Information Security Management ~ ISO 27001:2005
...Information Security Management Systems -- Requirements ~ IT Information Library (ITIL) Planning to Implement Service Management
~ IT Information Library (ITIL) ICT Infrastructure Management ~ IT Information Library (ITIL) Service Delivery ~ IT Information Library
(ITIL) Service Support ~ IT Information Library (ITIL) Application Management ~ IT Information Library (ITIL) Security Management
~ COSO Enterprise Risk Management (ERM) Framework ~ CobiT 3rd Edition ~ CobiT 4th Edition ~ ISACA IS Standards, Guidelines,
a n d P r o c e d u r e s f o r A u d i t i n g a n d Privileged. .
Control. Privileged Privileged
~ N F P A 1 6 0 0 . . . D i s a s t e r / E m e r g e n Privileged e m e n t a n d B u s i n e s s C o n t i n u i t y . . .
cy Manag
~ I n f o r m a tContractors F o r u m ( I S F ) S t a n d a r d o f G o o d P r a c t i c e ~ I n f o r m a t i o n S e c u r i t y F o r u m ( I S F ) S e c u r i t y A u d i t o f N e t w o r k s ~
ion Security
Users
A R i s k M a n a g e m e n t S t a n d a r d , j o i n t l y i s Users y A I R M I C , A L A R M , Users M ~ B u s i n e s s C o n tUsers I n s t i t u t e ( B C I ) G o o d P r a c t i c e G u i d e l i n e s
sued b and IR inuity
~ I I A G l o b a l Te c h n o l o g y A u d i t G u i d e - I n f o r m a t i o n T e c h n o l o g y C o n t r o l s ~ I S S A G e n e r a l l y A c c e p t e d I n f o r m a t i o n S e c u r i t y P r i n c i p l e s ( G A I S P )
~ CERT Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE) ~ Cable Communications Privacy Act Title 47 § 551 ~
T e l e m a r k e t i n g S a l e s R u l e ( T S R ) a m e n d m e n t 1 6 C F R 3 1 0 . 4 ( b ) ( 3 ) ( i v) ~ C A N S P A M A c t ~ C h i l d r e n ' s O n l i n e P r i va c y P r o t e c t i o n A c t ( C O P P A )
16 CFR 312 ~ Children's Online Privacy Protection Act (COPPA) 16 CFR 312 ~ Driver's Privacy Protection Act (DPPA) 18 USC 2721 ~ Family
Education Rights Privacy Act (FERPA) 20 USC 1232 ~ Privacy Act of 1974 5 USC 552a ~ Telemarketing Sales Rule (TSR) 16 CFR 310 ~ Video
Specter Leahy
Privacy Protection Act (VPPA) 18 USC 2710 ~ Specter-Leahy Personal Data Privacy and Security Act ~ AR Personal Information Protection Act SB 1167 ~
AZ AmendmentInternal Revised Statutes 13-2001 HB 2116 ~ CA Information Practice Act SB 1386 ~ CA General Security Standard for Businesses AB 1950 ~
to Arizona
Enterprise Production File Security
CA Public Records Military Veteran Discharge Documents AB 1798 ~ CA OPP Recommended Practices on Notification ofServer Breach ~ CO Prohibition against Using Identity Backup Tape
Employees Applications Database
Information for Unlawful Purpose HB 1134 ~ CO Consumer Credit Solicitation Protection HB 1274 ~ CO Prohibiting Inclusion of Social Security Number HB 1311 ~ CT Requiring
Consumer Credit Bureaus to Offer Security Freezes SB 650 ~ CT Concerning Nondisclosure of Private Tenant Information HB 5184 ~ DE Computer Security Breaches HB 116 ~ FL
Personal Identification Information/Unlawful Use HB 481 ~ GA Consumer Reporting Agencies SB 230 ~ GA Public employees; Fraud, Waste, and Abuse HB 656 ~ HI Exempting
disclosure of Social Security numbers HB 2674 ~ IL Personal Information Protection Act HB 1633 ~ IN Release of Social Security Number, Notice of Security Breach SB 503 ~ LA
Database Security Breach Notification Law SB 205 Act 499 ~ ME To Protect Maine Citizens from Identity Theft LD 1671 ~ MN Data Warehouses; Notice Required for Certain
Disclosures HF 2121 ~ MO HB 957 ~ MT To Implement Individual Privacy and to Prevent Identity Theft HB 732 ~ NJ Identity Theft Prevention Act A4001/S1914 ~ NY A4254, A3492
[no title] ~ NV SB 347 [no title] ~ NC Security Breach Notification Law (Identity Theft Protection Act) SB 1048 ~ ND Personal information protection act SB 2251 ~ OH Personal
Internal
information -- contact if unauthorized access HB 104 ~ RI Security Breach Notification Law H 6191 ~ TN Security Breach Notification SB 2220 ~ TX Identity Theft Enforcement and
Protection Act SB 122 ~ VT Relating to Identity Theft HB 327 ~ VA Identity theft; penalty; restitution; victim assistance SharePoint Notice of a breach of the security SB 6043 ~ EU
Business Replica HB 872 ~ WA Disk Backup
Directive on PE
Di i Employees i C
Privacy land El
i i i 2002/58/EC
d Electronic Communications 2002/ 8/EC ~ EU Di Analytics Protection 9 /46/EC ~ US eRoom etc.C
iA l Data P
Directive on D ti i 95/46/EC eRoom, etc Commerce EU S f H b PDisk P i i l ~
D
Department of f A
Arrays i
Safe Harbor Privacy Principles
...Consumer Interests in the Telecommunications Market Act No. 661 ~ Directive On Privacy And Electronic Communications 2002.58.EC ~ OECD Technology Risk Checklist ~
OECD Guidelines on...Privacy and Transborder Flows of Personal Data ~ UN Guidelines for the Regulation of Computerized Personal Data Files (1990) ~ ISACA Cross-border
Privacy Impact Assessment ~ The Combined Code on Corporate Governance ~ Turnbull Guidance on Internal Control, UK FRC ~ Smith Guidance on Audit Committees Combined
Code, UK FRC ~ UK Data Protection Act of 1998 ~ BS 15000-1 IT Service Management Standard ~ BS 15000-2 IT Service Management Standard - Code of Practice ~ Canada
Keeping the Promise for a Strong Economy Act Bill 198 ~ Canada Personal Information Protection and Electronic Documents Act ~ Canada Privacy Policy and Principles ~ Argentina
Personal Data Protection Act ~ Mexico Federal Personal Data Protection Law ~ Austria Data Protection Act ~ Austria Telecommunications Act ~ Bosnia Law on Protection of
Personal Data ~ Czech Republic Personal Data Protection Act ~ Denmark Act on Competitive Conditions and Consumer Interests ~ Finland Personal Data Protection Act ~ Finland
Amendment of the Personal Data Act ~ France Data Protection Act ~ German Federal Data Protection Act ~ Greece Law on Personal Data Protection ~ Hungary Protection of
Personal Data and Disclosure of Data of Public Interest ~ I celand Protection of Privacy a s regards the Processing of Personal Data ~ Ireland
Information Risk Management
Business / Regulatory Drivers
1 Define Policy
Classification & Control Policy
2 Discover/Detect
High Value
Inadequate
Information, Information
I f ti controls
Identities Infrastructure Information
Credentials Risk or process
or Assets
3 Implement & Enforce
4 Monitor R t
M it & Report
Discover Your Sensitive Data
Protect Corporate
Comply With Regulations
Competitive Advantage
y
Personally Identifiable Personal Health
Credit Card Data
C dit C d D t C t Secret Data
Corporate S tD t
Information (PII) Information (PHI)
Unstructured Semi-Structured Structured
Monitor Your Sensitive Data
Compliance
g y
Regulatory Data
Obj ti
Objectives
Corporate Governance &
Secrets Risk Objectives
Secure Your Sensitive Data
User Action Data Sensitivity User Identity
LOW RISK HIGH
ALLOW Q
QUARANTINE MOVE ENCRYPT
NOTIFY JUSTIFY BLOCK SHRED
AUDIT COPY DELETE RMS (DRM)
Discovering Sensitive Information
Reducing Your Sources of Risk:
Data at Rest
Discover Analyze Remediate
Rescan sources to measure and manage risk
File shares, Servers, 300+ File types Databases & Repositories Remediation
Laptops
•Windows file shares •Microsoft Office Files •SharePoint • Secure Delete
•Unix file shares •PDFs, PSTs •Documentum • Manual/Auto Move
•NAS / SAN storage
NAS •Zip files
Zip •Microsoft Access • Manual/Auto Quarantine
•Windows 2000, 2003 •CATIA files •Oracle, SQL • Notifications
•Windows XP, Vista •Content Mgmt systems • eDRM
14
Business Policy to Information Discovery
B i
Business Policy
Business policies P li Enterprise
Assets
“An appropriate set of procedures for
information labeling and handling shall be Systems
• Establish business
developed and implemented in
Governance e.g Customer
accordance with Team
policy for DLP discovery
the classification scheme Requirements
Management
adopted b th organization.” • Investigation of DLP
d t d by the i ti ” •Assessment
findings that violate requirements
Information
policy e.g. Customer •DLP policies &
•
Regulations: e.g PCI, EU Data, Update policies toData rules
Protection Directive reflect changes in
business, technology
and threats
Audit Procedures
Verify customer data is only shared with authorized third
parties, verify customer data is encrypted at rest
DLP Administrator
Status & Exceptions
•Assessment findings DLP Policies
•Escalated incidents Content blades: Credit Card Number, Drivers
Licence number, Social Security number
DataCenter Endpoint Network
Move if not e.g Block USB e.g Block,
encrypted notify user notify sender
W
W
h
W
h
H
DLP Policies
h
eo
a
rw
o
t
e
1 Identification 2 Notification 3 Remediation
1. Policies identify a violation by specifying
– What: the identification of content is done by Content Blades. You can further manage this
type,
by specifying attributes like file type file size
– Who: same content might be a violation for some people or AD groups, departments, while
perfectly ok for others.
– Where: in the network, datacenter, endpoint or all; or in a particular subset of scans identified
by a scan group (which can represent a BU, geography); or a specific user action (at copy or
print)
at print).
2. Policies set up notification by defining
– Who: who is responsible for handling the incident (the user creating it, the administrator, the
user’s manager)
– What: what is in the notification (eg. notification customized per AD group or policy, include
links)
– How: Send an email, pop up a window, integrate into Remedy or SIEM solution
3. Remediation
– What: different remediation options including encryption, quarantine, block, copy, move,
delete, apply rights management.
– How: thru automated actions at the time of the incident; thru workflow that can leverage AD
hierarchy; facilitated actions, or manual actions with incident management
Data Identification
Identifying sensitive data requires multiple techniques.
Attributes Described Content Fingerprinting
Transmission
Detection Rules Full & partial match
metadata
Context R l
C t t Rules D t b
Databases
File size, type, etc.
Exceptions Files
Owner, sender, etc.
Th h i id l
These techniques provide accurate results
in identifying sensitive data
Data Discovery and Remediation
Configuration Analysis
Infrastructure
Infrastructure Infrastructure Infrastructure
I f t t
Logs Vulnerabilities Configuration
Information
Information Information Information
Location Sharing Usage
User Identity Analysis
Name
Who has access to data
Title
What controls are in effect
Business group
What is the level of risk
Organization hierarchy
Remediation approaches
Special privileges
Use Case: Information Discovery
Analyst gets full picture of
where sensitive
information is located and
how it is protected
Monitoring Sensitive Information
Protecting Data in the Network:
Data in Motion
Monitor Analyze Enforce
Email Instant Messages Web Traffic Remediation
•SMTP email •Yahoo IM •FTP •Audit
•Exchange, Lotus, etc. •MSN Messenger •HTTP •Block
•Webmail
Webmail •AOL Messenger
AOL •HTTPS •Encrypt
•Text and attachments •TCP/IP •Log
23
Correlating Event Information
Malicious Code Detection Real-Time Monitoring
Spyware detection Troubleshooting
Access Control Enforcement Configuration Control
Privileged User Management Lockdown enforcement
Unauthorized
False Positive
Service Detection
Reduction
Leakage
IP L k
Web server Web cache & proxy logs
User Monitoring activity logs SLA Monitoring
Content management logs
Switch logs
IDS/IDP logs
VA Scan logs Router logs
Windows logs
Windows VPN logs
domain logins
Firewall logs
Wireless
access
logs Linux, Unix,
Oracle Financial Windows OS logs
Logs
Mainframe Client & file
logs DHCP logs server logs
San File VLAN Access
Access & Control logs Database Logs
Logs
Incident Workflow
Consolidate Violations
Violation
Event 1
Violation
Event 2
Violation Policy Based Security
E
Event 3
t L i l Grouping
Logical G i Incident
Violation
Event 4
Violation
Event “n” Send Alerts Based on Risk
Alert Security
HIGH Officer
Security MEDIUM Alert Manager
Incident
LOW No Alerts. Audit
Only
Use Case: Security Incident
Analyst DLP detects if
investigates confidential
malware Information is
outbreak leaving network
Securing Sensitive Information
Reducing Your Sources of Risk:
Data at Rest
Discover Analyze Remediate
Rescan sources to measure and manage risk
File shares, Servers, 300+ File types Databases & Repositories Remediation
Laptops
•Windows file shares •Microsoft Office Files •SharePoint • Secure Delete
•Unix file shares •PDFs, PSTs •Documentum • Manual/Auto Move
•NAS / SAN storage
NAS •Zip files
Zip •Microsoft Access • Manual/Auto Quarantine
•Windows 2000, 2003 •CATIA files •Oracle, SQL • Notifications
•Windows XP, Vista •Content Mgmt systems • eDRM
28
Using Encryption to Secure Data at Rest
Application Based
Fil Based
DB or File B d
Host Based
SAN Based
Platform Based
Clients
LAN SAN WAN
Servers
Enterprise Key Management
LTO4 Tape
(IBM, HP, Quantum)
Cisco SME
SAN Encryption
Key
Manager
Application
Encryption
30
Protecting Data in the Network:
Data in Motion
Monitor Analyze Enforce
Email Instant Messages Web Traffic Remediation
•SMTP email •Yahoo IM •FTP •Audit
•Exchange, Lotus, etc. •MSN Messenger •HTTP •Block
•Webmail
Webmail •AOL Messenger
AOL •HTTPS •Encrypt
•Text and attachments •TCP/IP •Log
31
Securing Data in Motion
Monitor Risk Exposure for Data in Motion
• A dit data i motion
Audit d t in ti
• Notify sender of inappropriate communication
Notify and escalate to senders manager
Prevent Risk Exposure for Data in Motion
Real-Time Blocking of Transmissions
Email active mode
Web, Secure Web and FTP active
mode via Proxy’s
Remediate Risk Exposure for Data in
Motion
Quarantine
Hold till Approved by manager, SOC,
etc.
etc
Sender Self Remediation (justify
actions)
Automated timed release to prevent
business impact
Encrypt
Redirect to perimeter encryption engine
(PGP, IronPort, etc)
Block
32
Protecting Data at the Endpoint:
Data in Use
Monitor Analyze Enforce
Print & Burn USB Copy and Save As Actions & Controls
•Local printers •External hard drives •Copy to Network shares • Allow
•Network printers •Memory sticks •Copy to external drives • Justify
•Burn to CDs/DVDs
Burn •Removable media
Removable •Save As to external • Block
drives • Audit & Log
33
Rights Management Services
Persistent
Protection
Encryption
+ Policy:
• Access Permissions
• Use Right Permissions
Use Case:
Protecting Data with Rights Management
1. RMS admin
creates RMS
templates for data
p
protection Rights Management Legal
Outside law
Others
firm Legal
Contracts
2. DLP admin View, Edit, RMS
View No Access
designs policies to Print
find sensitive data
and protect it Find Legal Contracts Contracts
using RMS Apply Legal Contracts RMS DLP Policy
DLP
3. DLP discovers
and classifies
sensitive files Legal department
4. DLP applies
RMS controls
RMS controls Outside law firm
based on policy Laptops/desktops
5. Users request File shares SharePoint
files ‐ RMS provides Other
policy based access
Discovering,
Discovering Monitoring and
Managing Your Sensitive Data
Protect Corporate
Comply With Regulations
Competitive Advantage
Personally Identifiable Personal Health
Credit Card Data Corporate Secret Data
Information (PII) Information (PHI)
Unstructured Semi-Structured Structured
Questions?
